From dc906bfb0f62455304f6b1eb9b05fabeb4a811e7 Mon Sep 17 00:00:00 2001
From: Sascha Lenk <99041549+sascha988@users.noreply.github.com>
Date: Sat, 25 Feb 2023 22:42:03 +0100
Subject: [PATCH] vulnerability XSS fix

The "trans with" command is not automatically escaping the string, so this is a XSS (Cross-Site Scripting) vulnerability.
Tested string: https://URL-TO-PART-DB-SERVER/de/parts/search?keyword=%22'%3E%3Cqss%20a%3D X147208852Y1_1Z%3E

QUALYS Enterprise WAS Scan Report classifies this as level 5 security risk
---
 templates/parts/lists/search_list.html.twig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/parts/lists/search_list.html.twig b/templates/parts/lists/search_list.html.twig
index e4ac30ee..69dae48a 100644
--- a/templates/parts/lists/search_list.html.twig
+++ b/templates/parts/lists/search_list.html.twig
@@ -16,7 +16,7 @@
             </div>
             <div id="searchInfo" class="accordion-collapse collapse" data-bs-parent="#listAccordion">
                 <div class="accordion-body">
-                    <h4>{% trans with {"%keyword%": keyword} %}parts_list.search.searching_for{% endtrans %}</h4>
+                    <h4>{% trans with {"%keyword%": keyword|escape} %}parts_list.search.searching_for{% endtrans %}</h4>
                     {% trans %}parts_list.search_options.caption{% endtrans %}: