From f5312015a5a5e89b95ef2bd07e496f8474d579c5 Mon Sep 17 00:00:00 2001
From: Giuseppe Criscione <18699708+giuscris@users.noreply.github.com>
Date: Fri, 7 Jun 2024 11:30:16 +0200
Subject: [PATCH] Escape meta attributes to avoid XSS injection

---
 site/templates/partials/meta.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/site/templates/partials/meta.php b/site/templates/partials/meta.php
index 6adc076d..cb7b72a7 100644
--- a/site/templates/partials/meta.php
+++ b/site/templates/partials/meta.php
@@ -1,9 +1,9 @@
 <?php foreach ($page->metadata() as $meta) : ?>
     <?php if ($meta->isCharset()) : ?>
-        <meta charset="<?= $meta->content() ?>">
+        <meta charset="<?= $this->escapeAttr($meta->content()) ?>">
     <?php elseif ($meta->isHTTPEquiv()) : ?>
-        <meta http-equiv="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta http-equiv="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
     <?php else : ?>
-        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+        <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
     <?php endif ?>
 <?php endforeach ?>
\ No newline at end of file