I've just noticed (again
), that the values of the meta tags (e.g. keywords, description) and the title of the website are not properly escaped, and will produce invalid (X)HTML, if those contain special characters (i.e. '<', '>', '&', '"'). Of course it could be left to the user to manually escape those charaters, but IMO that doesn't make much sense.The following patch might suffice:
Code: Select all
Index: cmsimple/cms.php
===================================================================
--- cmsimple/cms.php (revision 278)
+++ cmsimple/cms.php (working copy)
@@ -721,7 +721,7 @@
global $cf, $print;
$exclude = array('robots', 'keywords', 'description');
if ($cf['meta'][$n] != '' && !($print && in_array($n, $exclude)))
- return tag('meta name="' . $n . '" content="' . $cf['meta'][$n] . '"') . "\n";
+ return tag('meta name="' . $n . '" content="' . htmlspecialchars($cf['meta'][$n], ENT_COMPAT, 'UTF-8') . '"') . "\n";
}
function ml($i) {
@@ -946,8 +946,8 @@
function head() {
global $title, $cf, $pth, $tx, $txc, $hjs;
- if (isset($cf['site']['title']) && $cf['site']['title'] != '')
- $t = $cf['site']['title'] . ' - ' . $title; // changed by LM CMSimple_XH 1.1
+ if (!empty($cf['site']['title']))
+ $t = htmlspecialchars($cf['site']['title'], ENT_COMPAT, 'UTF-8') . ' - ' . $title;
else
$t = $title;
$t = '<title>' . strip_tags($t) . '</title>' . "\n";