From 740c954fb88c45f1737e8c7953fcc49c1498bc64 Mon Sep 17 00:00:00 2001
From: woutersioen <wouter.sioen@gmail.com>
Date: Wed, 15 Jun 2016 17:13:39 +0200
Subject: [PATCH] Fix xss in SpoonForms.

When an action name contained quote characters, the form html breaks and
stuff could be injected in there. This is f.e. the case in the backend
of Fork CMS.

Related issue: https://github.com/forkcms/forkcms/issues/1405
---
 spoon/form/form.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/spoon/form/form.php b/spoon/form/form.php
index 9afde79..c3a527b 100644
--- a/spoon/form/form.php
+++ b/spoon/form/form.php
@@ -982,6 +982,8 @@ public function parse($template)
 	 */
 	public function setAction($action)
 	{
+		$action = str_replace('"', '&qout;', $action);
+
 		$this->action = (string) $action;
 	}