From 8ff798f26ab7addac458cd5186155f0abacecca9 Mon Sep 17 00:00:00 2001
From: LivioCavallo <LivioCavallo@users.noreply.github.com>
Date: Mon, 31 Jul 2017 18:05:01 +0200
Subject: [PATCH] Update default_logout.php

Enclose JRoute param in htmlentities to emit valid html.
The getInstance part is right, but params remains unprotected, can emit invalid html!
---
 modules/mod_login/tmpl/default_logout.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/mod_login/tmpl/default_logout.php b/modules/mod_login/tmpl/default_logout.php
index 199d7e4063c57..f7057d9efdd8b 100644
--- a/modules/mod_login/tmpl/default_logout.php
+++ b/modules/mod_login/tmpl/default_logout.php
@@ -11,7 +11,7 @@
 
 JHtml::_('behavior.keepalive');
 ?>
-<form action="<?php echo JRoute::_('index.php', true, $params->get('usesecure')); ?>" method="post" id="login-form" class="form-vertical">
+<form action="<?php echo JRoute::_('index.php', true, htmlentities($params->get('usesecure')) ); ?>" method="post" id="login-form" class="form-vertical">
 <?php if ($params->get('greeting')) : ?>
 	<div class="login-greeting">
 	<?php if ($params->get('name') == 0) : ?>