From 9d471204f7ebb51c3c27131581c2b834315b5e0b Mon Sep 17 00:00:00 2001
From: Giuseppe Criscione <18699708+giuscris@users.noreply.github.com>
Date: Fri, 7 Jun 2024 11:40:35 +0200
Subject: [PATCH] Escape meta attributes to avoid XSS injection

---
 templates/partials/meta.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/partials/meta.php b/templates/partials/meta.php
index b78ac0b90..84209f4e6 100644
--- a/templates/partials/meta.php
+++ b/templates/partials/meta.php
@@ -1,9 +1,9 @@
 <?php foreach ($page->metadata() as $meta): ?>
 <?php if ($meta->isCharset()): ?>
-    <meta charset="<?= $meta->content() ?>">
-<?php elseif ($meta->isHTTPEquiv()): ?>
-    <meta http-equiv="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+    <meta charset="<?= $this->escapeAttr($meta->content()) ?>">
+<?php elseif ($meta->isHTTPEquiv()) : ?>
+    <meta http-equiv="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
 <?php else: ?>
-    <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $meta->name() ?>" content="<?= $meta->content() ?>">
+    <meta <?= $meta->prefix() === 'og' ? 'property' : 'name' ?>="<?= $this->escapeAttr($meta->name()) ?>" content="<?= $this->escapeAttr($meta->content()) ?>">
 <?php endif; ?>
 <?php endforeach; ?>