Properly escape user provided data in trans with data to prevent possible XSS attack vectors.

2025-08-03 17:55:03 +02:00 · 2023-02-26 00:41:08 +01:00 · 2023-02-26 00:41:08 +01:00 · 6ff60e556e
commit 6ff60e556e
parent 5b7f44f4ea
3 changed files with 4 additions and 4 deletions
--- a/templates/parts/edit/edit_part_info.html.twig
+++ b/templates/parts/edit/edit_part_info.html.twig
@ -1,12 +1,12 @@
 {% extends "main_card.html.twig" %}

 {% block title %}
-    {% trans with {'%name%': part.name} %}part.edit.title{% endtrans %}
+    {% trans with {'%name%': part.name|escape } %}part.edit.title{% endtrans %}
 {% endblock %}

 {% block card_title %}
    <i class="fas fa-edit fa-fw" aria-hidden="true"></i>
-    {% trans with {'%name%': part.name} %}part.edit.card_title{% endtrans %}
+    {% trans with {'%name%': part.name|escape } %}part.edit.card_title{% endtrans %}
    <b><a href="{{ entity_url(part, 'info') }}" class="text-white">{{ part.name }}</a></b>
    <div class="float-end">
        {% trans %}id.label{% endtrans %}: {{ part.id }} {% if part.ipn is not empty %}(<i>{{ part.ipn }}</i>){% endif %}