Fix unescaped user input in error messages
Fix unescaped user input in error messages

--- a/templates/message.tpl
+++ b/templates/message.tpl
@@ -9,7 +9,7 @@
 
 {block name=main}
 
-<div class="message {if $error}error{/if}">{$message}</div>
+<div class="message {if $error}error{/if}">{$message|escape}</div>
 
 {/block}
 

comments