Merge pull request #16 from MenschDankeGmbH/2.0

Properly secure output
torifat · Jun 26, 2014 · fa0a604 · fa0a604 · redd · Jun 27, 2014
2 parents 547d277 + e007f6e
commit fa0a604
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/View/Helper/MenuBuilderHelper.php b/View/Helper/MenuBuilderHelper.php
@@ -292,9 +292,9 @@ protected function _buildItem(&$item, $pos = -1, &$isActive = false) {
 			$url = '<a title="' . h($item['title']) . '" href="' . $this->Html->url($item['url']) . '"' . $target . $linkClass . '>';
 			if (!empty($item['image'])) {
 				$url .= $this->Html->image($item['image'], array('alt' => $item['title'], 'title' => $item['title']));
-				$url .= '<span class="label">' . __($item['title']) . '</span>';
+				$url .= '<span class="label">' . h(__($item['title'])) . '</span>';
 			} else {
-				$url .= __($item['title']);
+				$url .= h(__($item['title']));
 			}
 			$url .= '</a>';
 		}