fix: escape token for html context (#3966)

author: Dag <me@dvikan.no> 2024-02-09 07:27:16 +0100
committer: GitHub <noreply@github.com> 2024-02-09 07:27:16 +0100
commit: 8a6798a2276026ec8fe06b0056607a6e461cf330 (patch)
tree: ce138be1321ecaefa34cd12f8951cfc84f9ce6e9 /lib
parent: ae2eb2f1d1af63a3068e18e9d85f92f360b60a34 (diff)
download: rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.tar.gz
rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.tar.zst
rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.zip
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/BridgeCard.php b/lib/BridgeCard.php
index e5456f33..c4677b9d 100644
--- a/lib/BridgeCard.php
+++ b/lib/BridgeCard.php
@@ -104,9 +104,8 @@ final class BridgeCard
             <input type="hidden" name="bridge" value="{$bridgeClassName}" />
         EOD;
 
-        if ($token) {
-            // todo: maybe escape the token?
-            $form .= sprintf('<input type="hidden" name="token" value="%s" />', $token);
+        if (Configuration::getConfig('authentication', 'token') && $token) {
+            $form .= sprintf('<input type="hidden" name="token" value="%s" />', e($token));
         }
 
         if (!empty($contextName)) {
author	Dag <me@dvikan.no>	2024-02-09 07:27:16 +0100
committer	GitHub <noreply@github.com>	2024-02-09 07:27:16 +0100
commit	8a6798a2276026ec8fe06b0056607a6e461cf330 (patch)
tree	ce138be1321ecaefa34cd12f8951cfc84f9ce6e9 /lib
parent	ae2eb2f1d1af63a3068e18e9d85f92f360b60a34 (diff)
download	rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.tar.gz rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.tar.zst rss-bridge-8a6798a2276026ec8fe06b0056607a6e461cf330.zip