From 678f982024074c1ebdf84ebdc4f232129589c7f1 Mon Sep 17 00:00:00 2001
From: Denis Flaven <denis.flaven@combodo.com>
Date: Tue, 6 May 2014 08:26:54 +0000
Subject: [PATCH] #923: prevent XSS injection in forgot password page.

SVN:trunk[3139]
---
 application/loginwebpage.class.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php
index 64c85a204..eacdc6a8c 100644
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -191,7 +191,7 @@ class LoginWebPage extends NiceWebPage
 		$this->add("<p>".Dict::S('UI:Login:ForgotPwdForm+')."</p>\n");
 		if ($bFailedToReset)
 		{
-			$this->add("<p class=\"hilite\">".Dict::Format('UI:Login:ResetPwdFailed', $sFailureReason)."</p>\n");
+			$this->add("<p class=\"hilite\">".Dict::Format('UI:Login:ResetPwdFailed', htmlentities($sFailureReason, ENT_QUOTES, 'UTF-8'))."</p>\n");
 		}
 		$sAuthUser = utils::ReadParam('auth_user', '', true, 'raw_data');
 		$this->add("<form method=\"post\">\n");