HTML-escape IMPRINT_TEXT to prevent the admin from breaking the HTML output

yahesh · yahesh · commit c3a6ae52298c · 2020-07-16T15:22:17.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # 0.27b0 (2020-07-16)
 
 * introduced `IMPRINT_TEXT` to change the default text of the imprint link
+* HTML-escape `IMPRINT_TEXT` to prevent the admin from breaking the HTML output
 * updated jQuery to version 3.5.1
 
 # 0.26b0 (2020-05-07)
diff --git a/template/header.php b/template/header.php
@@ -41,7 +41,7 @@
             <li<?php if (empty(SECRET_URI)) { ?> class="active"<?php } ?>><a href="/">Share a secret.</a></li>
             <li<?php if (0 === strcmp(SECRET_URI, HOW_PAGE_NAME)) { ?> class="active"<?php } ?>><a href="/how">How does this service work?</a></li>
             <li<?php if (0 === strcmp(SECRET_URI, PUB_PAGE_NAME)) { ?> class="active"<?php } ?>><a href="/pub">Download the public key.</a></li>
-            <li<?php if (0 === strcmp(SECRET_URI, IMPRINT_PAGE_NAME)) { ?> class="active"<?php } ?>><a href="/imprint"><?= (defined("IMPRINT_TEXT") && (null !== IMPRINT_TEXT)) ? IMPRINT_TEXT : "Who provides this service?" ?></a></li>
+            <li<?php if (0 === strcmp(SECRET_URI, IMPRINT_PAGE_NAME)) { ?> class="active"<?php } ?>><a href="/imprint"><?= (defined("IMPRINT_TEXT") && (null !== IMPRINT_TEXT)) ? html(IMPRINT_TEXT) : "Who provides this service?" ?></a></li>
           </ul>
         </div>
       </div>
