The parameter values are captured and stored without conversion of special html characters (this is necessary because ; is used as a separator).
When the parameters are used to populate controls in the form, there is still no conversion of special characters. I fixed this by changing the code as follows:
Please note that my code also fixes another compliance error that was reported earlier
Lines 168-170
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($selected_value[$field]==1) ? " selected>" : ">"). $field."</option>\n";
}
changed to
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($selected_value[$field]==1) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}
and lines 175-177
foreach($fields as $field) {
$attr .= "<option value=\"$field\"".(($get_item_value==$field) ? " selected>" : ">"). $field."</option>\n";
}
changed to
foreach($fields as $field) {
$html_field = htmlspecialchars( $field );
$attr .= "<option value=\"$html_field\"".(($get_item_value==$field) ? " selected=\"selected\">" : ">"). $html_field."</option>\n";
}
Regards
Phil