From e04cf94edd37f7357175f2d513062a95c4282e50 Mon Sep 17 00:00:00 2001
From: tracer <tracer@24unix.net>
Date: Thu, 27 Oct 2022 10:53:32 +0200
Subject: [PATCH] added htmlspecialchars for output

---
 src/Repository/AddressRepository.php | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/Repository/AddressRepository.php b/src/Repository/AddressRepository.php
index 01e501a..75bb186 100644
--- a/src/Repository/AddressRepository.php
+++ b/src/Repository/AddressRepository.php
@@ -38,7 +38,15 @@ class AddressRepository
             $statement->execute();
             $addresses = [];
             while ($result = $statement->fetch(mode: PDO::FETCH_ASSOC)) {
-                $address = new AddressBookEntry(owner: $result['owner'], first: $result['first'], last: $result['last'], street: $result['street'], zip: $result['zip'], city: $result['city'], phone: $result['phone'], id: $result['id']);
+                $address = new AddressBookEntry(
+                    owner: htmlspecialchars(string: $result['owner']),
+                    first: htmlspecialchars(string: $result['first']),
+                    last: htmlspecialchars(string: $result['last']),
+                    street: htmlspecialchars(string: $result['street']),
+                    zip: htmlspecialchars(string: $result['zip']),
+                    city: htmlspecialchars(string: $result['city']),
+                    phone: htmlspecialchars(string: $result['phone']),
+                    id: htmlspecialchars(string: $result['id']));
                 $addresses[] = $address;
             }
             return $addresses;
@@ -60,7 +68,15 @@ class AddressRepository
             $statement->bindParam(param: ':id', var: $id);
             $statement->execute();
             if ($result = $statement->fetch(mode: PDO::FETCH_ASSOC)) {
-                return new AddressBookEntry(owner: $result['owner'], first: $result['first'], last: $result['last'], street: $result['street'], zip: $result['zip'], city: $result['city'], phone: $result['phone'], id: $result['id']);
+                return new AddressBookEntry(
+                    owner: htmlspecialchars(string: $result['owner']),
+                    first: htmlspecialchars(string: $result['first']),
+                    last: htmlspecialchars(string: $result['last']),
+                    street: htmlspecialchars(string: $result['street']),
+                    zip: htmlspecialchars(string: $result['zip']),
+                    city: htmlspecialchars(string: $result['city']),
+                    phone: htmlspecialchars(string: $result['phone']),
+                    id: htmlspecialchars(string: $result['id']));
             } else {
                 return null;
             }