[opw-web] class_lang.php: Escape replacements

[Owen Taylor <otaylor src gnome org>]

commit 1edf180f1e23f28eb4aacc1b385940e791871776
Author: Owen W. Taylor <otaylor fishsoup net>
Date:   Tue Mar 18 23:57:15 2014 -0400

    class_lang.php: Escape replacements
    
    When substituting into messages, escape special characters for HTML
    output for a bit of extra safety.

 classes/class_lang.php |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/classes/class_lang.php b/classes/class_lang.php
index 6845065..99ff8ec 100644
--- a/classes/class_lang.php
+++ b/classes/class_lang.php
@@ -58,10 +58,10 @@ class lang
         global $config, $core, $user;
 
         // Substitute generic data within the laguage files
-        $data = str_replace("[[host]]", $core->base_uri(), $data);
+        $data = str_replace("[[host]]", htmlspecialchars($core->base_uri()), $data);
         $data = str_replace("[[site_name]]", $config->site_name, $data);
-        $data = str_replace("[[username]]", $user->username, $data);
-        $data = str_replace("[[timezone]]", date('T'), $data);
+        $data = str_replace("[[username]]", htmlspecialchars($user->username), $data);
+        $data = str_replace("[[timezone]]", htmlspecialchars(date('T')), $data);
 
         // Replace placeholder with values
         foreach ($this->lang_vars as $key => $value)