Merge pull request #2129 from owncloud/don't-sanitize-error-message

Don't sanitize error message hint
12 years ago · 3213331f73
parent 145fb18042 cfb10dc58c
commit 3213331f73
2 changed files with 4 additions and 3 deletions
--- a/core/templates/error.php
+++ b/core/templates/error.php
@ -2,7 +2,7 @@
 	<?php foreach($_["errors"] as $error):?>
 		<li class='error'>
 			<?php p($error['error']) ?><br/>
-			<p class='hint'><?php if(isset($error['hint']))p($error['hint']) ?></p>
+			<p class='hint'><?php if(isset($error['hint']))print_unescaped($error['hint']) ?></p>
 		</li>
 	<?php endforeach ?>
 </ul>
--- a/lib/template.php
+++ b/lib/template.php
@ -519,12 +519,13 @@ class OC_Template{
 	/**
 		* @brief Print a fatal error page and terminates the script
 		* @param string $error The error message to show
-		* @param string $hint An option hint message
+		* @param string $hint An optional hint message 
+		* Warning: All data passed to $hint needs to get sanitized using OC_Util::sanitizeHTML
 		*/
 	public static function printErrorPage( $error_msg, $hint = '' ) {
 		$content = new OC_Template( '', 'error', 'error' );
 		$errors = array(array('error' => $error_msg, 'hint' => $hint));
-		$content->assign( 'errors', $errors, false );
+		$content->assign( 'errors', $errors );
 		$content->printPage();
 		die();
 	}