Properly escape user provided data in trans with data to prevent possible XSS attack vectors.

2025-08-04 02:05:16 +02:00 · 2023-02-26 00:52:00 +01:00 · 2023-02-26 00:52:00 +01:00 · 5f39d8e594
commit 5f39d8e594
parent 6ff60e556e
3 changed files with 3 additions and 3 deletions
--- a/templates/parts/info/_tools.html.twig
+++ b/templates/parts/info/_tools.html.twig
@ -29,7 +29,7 @@

 <form method="post" class="mt-2" action="{{ entity_url(part, 'delete') }}"
        {{ stimulus_controller('elements/delete_btn') }} {{ stimulus_action('elements/delete_btn', "submit", "submit") }}
-      data-delete-title="{% trans  with {'%name%': part.name }%}part.delete.confirm_title{% endtrans %}"
+      data-delete-title="{% trans with {'%name%': part.name|escape }%}part.delete.confirm_title{% endtrans %}"
      data-delete-message="{% trans %}part.delete.message{% endtrans %}">
    <input type="hidden" name="_method" value="DELETE">
    <input type="hidden" name="_token" value="{{ csrf_token('delete' ~ part.id) }}">