Escape meta attributes to avoid XSS injection

getformwork · Jun 7, 2024 · f531201 · f531201
1 parent 257150a
commit f531201
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/site/templates/partials/meta.php b/site/templates/partials/meta.php
@@ -1,9 +1,9 @@
 <?php foreach ($page->metadata() as $meta) : ?>
     <?php if ($meta->isCharset()) : ?>
-        <meta charset="<?= $meta->content() ?>">
+        <meta charset="<?= $this->escapeAttr($meta->content()) ?>">
     <?php elseif ($meta->isHTTPEquiv()) : ?>
-        <meta http-equiv="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta http-equiv="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
     <?php else : ?>
-        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
     <?php endif ?>
 <?php endforeach ?>