mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-07-24 21:05:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Properly escape user provided data in trans with data to prevent possible XSS attack vectors.

Browse source
This commit is contained in:
Jan Böhmer 2023-02-26 00:52:00 +01:00
parent 6ff60e556e
commit 5f39d8e594
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
templates/admin/_delete_form.html.twig
View file

@ -1,5 +1,5 @@
<form method="post" class="" action="{{ entity_url(entity, 'delete') }}" {{ stimulus_controller('elements/delete_btn') }} {{ stimulus_action('elements/delete_btn', "submit", "submit") }}
data-delete-title="{% trans with {'%name%': entity.name }%}entity.delete.confirm_title{% endtrans %}"
data-delete-title="{% trans with {'%name%': entity.name|escape }%}entity.delete.confirm_title{% endtrans %}"
data-delete-message="{% trans %}entity.delete.message{% endtrans %}">
<input type="hidden" name="_method" value="DELETE">
<input type="hidden" name="_token" value="{{ csrf_token('delete' ~ entity.id) }}">