fix proper escaping of label titles (closes #255)

1 files changed, 4 insertions, 2 deletions

diff --git a/modules/backend-rpc.php b/modules/backend-rpc.php
index 3e4a94340..1a65efc02 100644
--- a/modules/backend-rpc.php
+++ b/modules/backend-rpc.php
@@ -450,7 +450,8 @@
 			$ids = split(",", db_escape_string($_REQUEST["ids"]));
 			$label_id = db_escape_string($_REQUEST["lid"]);
 
-			$label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+			$label = db_escape_string(label_find_caption($link, $label_id, 
+				$_SESSION["uid"]));
 
 			print "<rpc-reply>";
 			print "<info-for-headlines>";
@@ -485,7 +486,8 @@
 			$ids = split(",", db_escape_string($_REQUEST["ids"]));
 			$label_id = db_escape_string($_REQUEST["lid"]);
 
-			$label = label_find_caption($link, $label_id, $_SESSION["uid"]);
+			$label = db_escape_string(label_find_caption($link, $label_id, 
+				$_SESSION["uid"]));
 
 			print "<rpc-reply>";