Properly escape user provided data in trans with data to prevent possible XSS attack vectors.

2025-06-20 17:15:51 +02:00 · 2023-02-26 00:41:08 +01:00 · 2023-02-26 00:41:08 +01:00 · 6ff60e556e
commit 6ff60e556e
parent 5b7f44f4ea
3 changed files with 4 additions and 4 deletions
--- a/templates/admin/base_admin.html.twig
+++ b/templates/admin/base_admin.html.twig
@ -37,7 +37,7 @@
                    <fieldset>
                        <legend>
                            {% if entity.ID %}
-                                <strong>{% block edit_title %}{% trans with {'%name': entity.name} %}edit.caption{% endtrans %}{% endblock %}</strong>
+                                <strong>{% block edit_title %}{% trans with {'%name': entity.name|escape } %}edit.caption{% endtrans %}{% endblock %}</strong>
                                {% if timeTravel is defined and timeTravel is not null %}
                                    ({{ timeTravel|format_datetime('short') }})
                                {% endif %}
--- a/templates/mail/pw_reset.html.twig
+++ b/templates/mail/pw_reset.html.twig
@ -3,7 +3,7 @@
 {% block content %}
 <row>
    <columns>
-        <h4>{% trans with {'%name%': user.fullName} %}email.hi %name%{% endtrans %},</h4>
+        <h4>{% trans with {'%name%': user.fullName|escape } %}email.hi %name%{% endtrans %},</h4>
        {% trans %}email.pw_reset.message{% endtrans %}
        <br>
        <button class="large expand" href="{{ url('pw_reset_new_pw', {user: user.name, token: token}) }}">{% trans %}email.pw_reset.button{% endtrans %}</button>
--- a/templates/parts/edit/edit_part_info.html.twig
+++ b/templates/parts/edit/edit_part_info.html.twig
@ -1,12 +1,12 @@
 {% extends "main_card.html.twig" %}

 {% block title %}
-    {% trans with {'%name%': part.name} %}part.edit.title{% endtrans %}
+    {% trans with {'%name%': part.name|escape } %}part.edit.title{% endtrans %}
 {% endblock %}

 {% block card_title %}
    <i class="fas fa-edit fa-fw" aria-hidden="true"></i>
-    {% trans with {'%name%': part.name} %}part.edit.card_title{% endtrans %}
+    {% trans with {'%name%': part.name|escape } %}part.edit.card_title{% endtrans %}
    <b><a href="{{ entity_url(part, 'info') }}" class="text-white">{{ part.name }}</a></b>
    <div class="float-end">
        {% trans %}id.label{% endtrans %}: {{ part.id }} {% if part.ipn is not empty %}(<i>{{ part.ipn }}</i>){% endif %}