Fix failure to escape HTML on login page

git-svn-id: svn://sql.mit.edu/sql@189 a142d4bd-2cfb-0310-9673-cb33a7e74f58

diff --git a/tpl/login.php b/tpl/login.php
index a9ce2b5e269e4feb83cd8c87589dbe4e18f31303..17eabb48cda5baf08a4cb763f24adbc27c246beb 100644 (file)
--- a/tpl/login.php
+++ b/tpl/login.php
@@ -12,15 +12,15 @@ $thisTxt = isSSL()?' using this Certificate':' using your MySQL Password';
 
 <form method=post action="<?=$URI?>">
 <p>Please enter your MySQL login information:</p>
-<p>username: <input type="text" name="u" value="<?=isset($i_u)?$i_u:''?>"></p>
+<p>username: <input type="text" name="u" value="<?=isset($i_u)?htmlentities($i_u):''?>"></p>
 <p>password: <input type="password" name="p"></p>
 
 <?php elseif (isSSL() && !empty($SSLCred)): ?>
 
 <form method=post action="<?=$URI?>">
-<p>You are identified as: <?=$SSLUsername?></p>
-<p><?=$SSLName?></p>
-<p><?=$SSLEmail?></p>
+<p>You are identified as: <?=htmlentities($SSLUsername)?></p>
+<p><?=htmlentities($SSLName)?></p>
+<p><?=htmlentities($SSLEmail)?></p>
 
 <?php endif; ?>