From 6d1e27a3c49cf43ecc6e75cc068aed34a2c890be Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Wed, 19 Dec 2007 10:58:56 +0000
Subject: [PATCH] =?UTF-8?q?=EC=9C=84=EC=A0=AF=EC=BD=94=EB=93=9C=20?=
 =?UTF-8?q?=EC=83=9D=EC=84=B1=EC=8B=9C=20htmlspecialchars()=ED=95=A8?=
 =?UTF-8?q?=EC=88=98=EB=A1=9C=20=EC=B2=98=EB=A6=AC=20=ED=9B=84=20=EB=B0=98?=
 =?UTF-8?q?=ED=99=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

git-svn-id: http://xe-core.googlecode.com/svn/sandbox@3381 201d5d3c-b55e-5fd7-737f-ddc643e51545
---
 modules/widget/widget.controller.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/widget/widget.controller.php b/modules/widget/widget.controller.php
index 66efd79e3..62d6801ad 100644
--- a/modules/widget/widget.controller.php
+++ b/modules/widget/widget.controller.php
@@ -39,8 +39,9 @@
             $attribute = array();
             if($vars) {
                 foreach($vars as $key => $val) {
-                    if(strpos($val,'|@|')>0) $val = str_replace('|@|',',',$val);
-                    $attribute[] = sprintf('%s="%s"', $key, str_replace('"','\"',$val));
+                    if(strpos($val,'|@|') > 0) $val = str_replace('|@|', ',', $val);
+                    $val = htmlspecialchars($val);
+                    $attribute[] = sprintf('%s="%s"', $key, $val);
                 }
             }