diff --git a/controller/Account/RegisterController.php b/controller/Account/RegisterController.php
index da6f83ab0a68dd8e2a08672f894303dce1c8193e..0e234c16be1544e5ae3a7d580001f935fb946dad 100644
--- a/controller/Account/RegisterController.php
+++ b/controller/Account/RegisterController.php
@@ -23,15 +23,15 @@ class RegisterController extends BaseController {
} else {
$biodata = new Entity\GenericEntity(array(
"username" => $this->getArg('username'),
- "name" => $this->getArg('name'),
- "email" => $this->getArg('email'),
- "address" => $this->getArg('address'),
- "phone" => $this->getArg('phone'),
+ "name" => escapeHTML($this->getArg('name')),
+ "email" => escapeHTML($this->getArg('email')),
+ "address" => escapeHTML($this->getArg('address')),
+ "phone" => escapeHTML($this->getArg('phone')),
));
try {
// Create user.
$user = new Entity\AccountEntity(array(
- "username" => $this->getArg('username'),
+ "username" => escapeHTML($this->getArg('username')),
"password" => $this->getArg('password')
));
} catch (Entity\InvalidValueException $e) {
diff --git a/controller/EditController.php b/controller/EditController.php
index c73cb3eada6c7934285a33da46031d5b5ecb77d4..6d917d72ba49f2e3a8b0af67599628f15ab2ea8f 100644
--- a/controller/EditController.php
+++ b/controller/EditController.php
@@ -47,9 +47,9 @@ class EditController extends BaseController {
//Updating data
if (isset($this->params["data"]["name"])) {
$biodata = $model_biodata->findByID($username);
- $biodata->name = $this->getArg('name');
- $biodata->address = $this->getArg('address');
- $biodata->phone = $this->getArg('phone');
+ $biodata->name = escapeHTML($this->getArg('name'));
+ $biodata->address = escapeHTML($this->getArg('address'));
+ $biodata->phone = escapeHTML($this->getArg('phone'));
//Update profile picture
if (isset($image_id)) {
diff --git a/framework/lib/util.php b/framework/lib/util.php
index 05c8d0e1e072f6867691cc1060f806119e2181a1..d0096ad7632afc9fb440b7579dae899f3082bfd6 100644
--- a/framework/lib/util.php
+++ b/framework/lib/util.php
@@ -23,5 +23,8 @@ function alert($message) {
echo "<script type=\"text/javascript\">alert('$message')</script>";
}
+function escapeHTML($html) {
+ return str_replace(">", ">", str_replace("<", "<", $html));
+}
?>
\ No newline at end of file
diff --git a/view/biodata.php b/view/biodata.php
index b18743ae18b17210043ca96f296d2438548d48bd..a1ebc20c4f065aac3151008cd0e462360c86fd45 100644
--- a/view/biodata.php
+++ b/view/biodata.php
@@ -49,7 +49,7 @@
<td><img class="icon" src="assets/image/address.png" ></td>
<td class="data_type">Address </td>
<td><?php
- $text = str_replace(">", ">", str_replace("<", "<", $data["address"]));
+ $text = escapeHTML($data["address"]);
echo $text;
?></textarea></td>
</tr>