mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-08-04 02:05:16 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Properly escape user provided data in trans with data to prevent possible XSS attack vectors.

Browse source
This commit is contained in:
Jan Böhmer 2023-02-26 00:41:08 +01:00
parent 5b7f44f4ea
commit 6ff60e556e
3 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
templates/mail/pw_reset.html.twig
View file

@ -3,7 +3,7 @@
{% block content %}
<row>
<columns>
<h4>{% trans with {'%name%': user.fullName} %}email.hi %name%{% endtrans %},</h4>
<h4>{% trans with {'%name%': user.fullName|escape } %}email.hi %name%{% endtrans %},</h4>
{% trans %}email.pw_reset.message{% endtrans %}
<br>
<button class="large expand" href="{{ url('pw_reset_new_pw', {user: user.name, token: token}) }}">{% trans %}email.pw_reset.button{% endtrans %}</button>