From ffba49cc49075d8cbff2cbdda97c904b99c0eb1c Mon Sep 17 00:00:00 2001
From: Tobias Reich <tobias.reich.ich@gmail.com>
Date: Wed, 3 Jun 2015 22:10:38 +0200
Subject: [PATCH] Escape before sending user input

---
 php/modules/misc.php | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/php/modules/misc.php b/php/modules/misc.php
index f763144..865d812 100755
--- a/php/modules/misc.php
+++ b/php/modules/misc.php
@@ -89,21 +89,27 @@ function getGraphHeader($database, $photoID) {
 	$url		= $parseUrl['scheme'] . '://' . $parseUrl['host'] . $parseUrl['path'] . '?' . $parseUrl['query'];
 	$picture	= $parseUrl['scheme'] . '://' . $parseUrl['host'] . $parseUrl['path'] . '/../uploads/' . $dir . '/' . $row->url;
 
+	$url		= htmlentities($url);
+	$picture	= htmlentities($picture);
+
+	$row->title			= htmlentities($row->title);
+	$row->description	= htmlentities($row->description);
+
 	$return = '<!-- General Meta Data -->';
-	$return .= '<meta name="title" content="'.$row->title.'">';
-	$return .= '<meta name="description" content="'.$row->description.' - via Lychee">';
-	$return .= '<link rel="image_src" type="image/jpeg" href="'.$picture.'">';
+	$return .= '<meta name="title" content="' . $row->title . '">';
+	$return .= '<meta name="description" content="' . $row->description . ' - via Lychee">';
+	$return .= '<link rel="image_src" type="image/jpeg" href="' . $picture . '">';
 
 	$return .= '<!-- Twitter Meta Data -->';
 	$return .= '<meta name="twitter:card" content="photo">';
-	$return .= '<meta name="twitter:title" content="'.$row->title.'">';
-	$return .= '<meta name="twitter:image:src" content="'.$picture.'">';
+	$return .= '<meta name="twitter:title" content="' . $row->title . '">';
+	$return .= '<meta name="twitter:image:src" content="' . $picture . '">';
 
 	$return .= '<!-- Facebook Meta Data -->';
-	$return .= '<meta property="og:title" content="'.$row->title.'">';
-	$return .= '<meta property="og:image" content="'.$picture.'">';
-	$return .= '<meta property="og:description" content="'.$row->description.' - via Lychee">';
-	$return .= '<meta property="og:url" content="'.$url.'">';
+	$return .= '<meta property="og:title" content="' . $row->title . '">';
+	$return .= '<meta property="og:description" content="' . $row->description . ' - via Lychee">';
+	$return .= '<meta property="og:image" content="' . $picture . '">';
+	$return .= '<meta property="og:url" content="' . $url . '">';
 
 	return $return;