Commit 7cd6e0b1 authored by Steven Wittens's avatar Steven Wittens

The default form action (request_uri) didn't escape HTML entities (such as &)

parent f1f458dd
......@@ -567,7 +567,7 @@ function format_tag($link, $text) {
}
function form($form, $method = "post", $action = 0, $options = 0) {
return "<form action=\"". ($action ? $action : request_uri()) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
return "<form action=\"". ($action ? $action : htmlentities(request_uri())) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
}
function form_item($title, $value, $description = 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment