diff --git a/phpmyfaq/ajaxservice.php b/phpmyfaq/ajaxservice.php index 427f87a12e..dca80db2f4 100644 --- a/phpmyfaq/ajaxservice.php +++ b/phpmyfaq/ajaxservice.php @@ -200,7 +200,7 @@ ->setType($type) ->setUsername($username) ->setEmail($mailer) - ->setComment(nl2br($comment)) + ->setComment(nl2br(strip_tags($comment))) ->setDate($_SERVER['REQUEST_TIME']); if ($oComment->addComment($commentEntity)) { diff --git a/phpmyfaq/src/phpMyFAQ/Comments.php b/phpmyfaq/src/phpMyFAQ/Comments.php index 695a077057..bf14602ecf 100644 --- a/phpmyfaq/src/phpMyFAQ/Comments.php +++ b/phpmyfaq/src/phpMyFAQ/Comments.php @@ -83,7 +83,7 @@ public function getComments(int $id, string $type): string $output .= sprintf( '<strong><a href="mailto:%s">%s</a></strong>', $mail->safeEmail($item->getEmail()), - $item->getUsername() + Strings::htmlentities($item->getUsername()) ); $output .= sprintf(' <span class="text-muted">(%s)</span>', $date->format($item->getDate())); $output .= ' </div>';