From 85cb2db48610720dd1eb999795a36c7c10e9257a Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Fri, 15 Sep 2017 15:52:34 +0000
Subject: [PATCH] Les arguments passes a _T() et _L() sont securises car ce
 sont souvent des contenu utilisateurs affiches (Jarrod Farncomb)

---
 ecrire/inc/utils.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ecrire/inc/utils.php b/ecrire/inc/utils.php
index 8f6fc8d8f3..e2ac3d1e3f 100644
--- a/ecrire/inc/utils.php
+++ b/ecrire/inc/utils.php
@@ -821,7 +821,15 @@ function _T($texte, $args = array(), $options = array()) {
 function _L($text, $args = array(), $class = null) {
 	$f = $text;
 	if (is_array($args)) {
+		if (!function_exists('interdire_scripts')) {
+			include_spip('inc/texte');
+		}
+		if (!function_exists('echapper_html_suspect')) {
+			include_spip('inc/texte_mini');
+		}
 		foreach ($args as $name => $value) {
+			$value = echapper_html_suspect($value);
+			$value = interdire_scripts($value, -1);
 			if ($class) {
 				$value = "<span class='$class'>$value</span>";
 			}
-- 
GitLab