Add escaping for formInput type attribute

omeka · Dec 3, 2024 · bbce27e · bbce27e
1 parent 09d7e39
commit bbce27e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/application/views/helpers/FormInput.php b/application/views/helpers/FormInput.php
@@ -44,7 +44,7 @@ public function formInput($name, $value = null, $attribs = null)
             unset($attribs['type']);
         }
 
-        $xhtml = '<input type="' . $type . '"'
+        $xhtml = '<input type="' . $this->view->escape($type) . '"'
                 . ' name="' . $this->view->escape($name) . '"'
                 . ($id === '' ? '' : ' id="' . $this->view->escape($id) . '"')
                 . ' value="' . $this->view->escape($value) . '"'