From 0e3051bfed50585dc37531f50c9b761d7ce4f20e Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 16 Nov 2020 18:18:11 -0500 Subject: [PATCH] Escape user name in introduction fields help text - HTML help text aren't escaped in the template --- src/Module/Notifications/Introductions.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Module/Notifications/Introductions.php b/src/Module/Notifications/Introductions.php index cd59626e68..f3c1ccaa1c 100644 --- a/src/Module/Notifications/Introductions.php +++ b/src/Module/Notifications/Introductions.php @@ -23,6 +23,7 @@ namespace Friendica\Module\Notifications; use Friendica\Content\ContactSelector; use Friendica\Content\Nav; +use Friendica\Content\Text\BBCode; use Friendica\Core\Protocol; use Friendica\Core\Renderer; use Friendica\Database\DBA; @@ -122,9 +123,11 @@ class Introductions extends BaseNotifications $knowyou = ''; } + $convertedName = BBCode::convert($notification->getName()); + $helptext = DI::l10n()->t('Shall your connection be bidirectional or not?'); - $helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $notification->getName(), $notification->getName()); - $helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $notification->getName()); + $helptext2 = DI::l10n()->t('Accepting %s as a friend allows %s to subscribe to your posts, and you will also receive updates from them in your news feed.', $convertedName, $convertedName); + $helptext3 = DI::l10n()->t('Accepting %s as a subscriber allows them to subscribe to your posts, but you will not receive updates from them in your news feed.', $convertedName); $friend = ['duplex', DI::l10n()->t('Friend'), '1', $helptext2, true]; $follower = ['duplex', DI::l10n()->t('Subscriber'), '0', $helptext3, false];