This repository was archived by the owner on Jun 18, 2024. It is now read-only.
This repository was archived by the owner on Jun 18, 2024. It is now read-only.
HTML render should be escaped #21
Description
The render_html() method does not sanitize outputs. If a database field contains <script>alert(1)</script>, this will lead to code execution in the user's browser.
Simple fix, change from this:
echo "\t<td>$cell</td>\n";
...to this:
$cell = htmlspecialchars($cell);
echo "\t<td>$cell</td>\n";