From 5f39d8e59406dd71aaa2dc70b210957d92a43f6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 26 Feb 2023 00:52:00 +0100
Subject: [PATCH] Properly escape user provided data in trans with data to
 prevent possible XSS attack vectors.

---
 src/DataTables/Helpers/PartDataTableHelper.php | 2 +-
 templates/admin/_delete_form.html.twig         | 2 +-
 templates/parts/info/_tools.html.twig          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/DataTables/Helpers/PartDataTableHelper.php b/src/DataTables/Helpers/PartDataTableHelper.php
index c9000283..b13ee813 100644
--- a/src/DataTables/Helpers/PartDataTableHelper.php
+++ b/src/DataTables/Helpers/PartDataTableHelper.php
@@ -67,7 +67,7 @@ class PartDataTableHelper
             '<a href="%s">%s%s</a>',
             $this->entityURLGenerator->infoURL($context),
             $icon,
-            htmlentities($context->getName())
+            htmlspecialchars($context->getName())
         );
     }
 
diff --git a/templates/admin/_delete_form.html.twig b/templates/admin/_delete_form.html.twig
index e6250d57..0423bdca 100644
--- a/templates/admin/_delete_form.html.twig
+++ b/templates/admin/_delete_form.html.twig
@@ -1,5 +1,5 @@
 <form method="post" class="" action="{{ entity_url(entity, 'delete') }}" {{ stimulus_controller('elements/delete_btn') }} {{ stimulus_action('elements/delete_btn', "submit", "submit") }}
-      data-delete-title="{% trans  with {'%name%': entity.name }%}entity.delete.confirm_title{% endtrans %}"
+      data-delete-title="{% trans with {'%name%': entity.name|escape }%}entity.delete.confirm_title{% endtrans %}"
       data-delete-message="{% trans %}entity.delete.message{% endtrans %}">
     <input type="hidden" name="_method" value="DELETE">
     <input type="hidden" name="_token" value="{{ csrf_token('delete' ~ entity.id) }}">
diff --git a/templates/parts/info/_tools.html.twig b/templates/parts/info/_tools.html.twig
index 6fee4aee..3be32f3c 100644
--- a/templates/parts/info/_tools.html.twig
+++ b/templates/parts/info/_tools.html.twig
@@ -29,7 +29,7 @@
 
 <form method="post" class="mt-2" action="{{ entity_url(part, 'delete') }}"
         {{ stimulus_controller('elements/delete_btn') }} {{ stimulus_action('elements/delete_btn', "submit", "submit") }}
-      data-delete-title="{% trans  with {'%name%': part.name }%}part.delete.confirm_title{% endtrans %}"
+      data-delete-title="{% trans with {'%name%': part.name|escape }%}part.delete.confirm_title{% endtrans %}"
       data-delete-message="{% trans %}part.delete.message{% endtrans %}">
     <input type="hidden" name="_method" value="DELETE">
     <input type="hidden" name="_token" value="{{ csrf_token('delete' ~ part.id) }}">