From 12d17734f62ff83a5fd2d82c69c617c3f0d9008d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Sat, 13 Jul 2013 22:14:18 +0400
Subject: properly escape feed error message in headlines toolbar

---
 classes/feeds.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'classes/feeds.php')

diff --git a/classes/feeds.php b/classes/feeds.php
index 4cace8d5c..def24521a 100644
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -63,7 +63,8 @@ class Feeds extends Handler_Protected {
 				truncate_string($feed_title,30)."</a>";
 
 			if ($error) {
-				$reply .= "&nbsp;<img title='$error' src='images/error.png' alt='error' class=\"noborder\" style=\"vertical-align : middle\">";
+				$error = htmlspecialchars($error);
+				$reply .= "&nbsp;<img title=\"$error\" src='images/error.png' alt='error' class=\"noborder\" style=\"vertical-align : middle\">";
 			}
 
 		} else {
-- 
cgit v1.2.3