Proper escape

LiveHelperChat · Dec 25, 2021 · 8f6ddad · 8f6ddad
1 parent e487094
commit 8f6ddad
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lhc_web/design/defaulttheme/tpl/lhchat/avatarbuilder.tpl.php b/lhc_web/design/defaulttheme/tpl/lhchat/avatarbuilder.tpl.php
@@ -63,7 +63,7 @@
                     <?php endforeach; ?>
                 </div>
                 <div class="col-6">
-                    <img width="w-100" id="id_avatar_img" src='<?php echo erLhcoreClassDesign::baseurl('widgetrestapi/avatar')?>/<?php echo htmlspecialchars($id)?>' alt="" title="" />
+                    <img width="w-100" id="id_avatar_img" src='<?php echo erLhcoreClassDesign::baseurl('widgetrestapi/avatar')?>/<?php echo urlencode(htmlspecialchars($id))?>' alt="" title="" />
                 </div>
             </div>
 

diff --git a/lhc_web/modules/lhuser/avatarbuilder.php b/lhc_web/modules/lhuser/avatarbuilder.php
@@ -1,7 +1,7 @@
 <?php
 $tpl = erLhcoreClassTemplate::getInstance('lhchat/avatarbuilder.tpl.php');
 
-$id = $Params['user_parameters']['id'];
+$id = strip_tags($Params['user_parameters']['id']);
 
 $prefix = isset($_GET['prefix']) ? strip_tags($_GET['prefix']) : '';