diff --git a/src/DataTables/Column/EntityColumn.php b/src/DataTables/Column/EntityColumn.php
index d48d6da1..4ccc2ce4 100644
--- a/src/DataTables/Column/EntityColumn.php
+++ b/src/DataTables/Column/EntityColumn.php
@@ -79,7 +79,7 @@ class EntityColumn extends AbstractColumn
return sprintf(
'%s',
$this->urlGenerator->listPartsURL($entity),
- $entity->getName()
+ htmlspecialchars($entity->getName())
);
}
diff --git a/src/DataTables/Column/SIUnitNumberColumn.php b/src/DataTables/Column/SIUnitNumberColumn.php
index a66bc868..bc9d866f 100644
--- a/src/DataTables/Column/SIUnitNumberColumn.php
+++ b/src/DataTables/Column/SIUnitNumberColumn.php
@@ -50,6 +50,6 @@ class SIUnitNumberColumn extends AbstractColumn
return '';
}
- return $this->formatter->format((float) $value, $this->options['unit'], $this->options['precision']);
+ return htmlspecialchars($this->formatter->format((float) $value, $this->options['unit'], $this->options['precision']));
}
}
\ No newline at end of file
diff --git a/src/DataTables/PartsDataTable.php b/src/DataTables/PartsDataTable.php
index f38215e3..d67ed0db 100644
--- a/src/DataTables/PartsDataTable.php
+++ b/src/DataTables/PartsDataTable.php
@@ -177,7 +177,7 @@ final class PartsDataTable implements DataTableTypeInterface
$tmp[] = sprintf(
'%s',
$this->urlGenerator->listPartsURL($lot->getStorageLocation()),
- $lot->getStorageLocation()->getName()
+ htmlspecialchars($lot->getStorageLocation()->getName())
);
}
@@ -192,13 +192,13 @@ final class PartsDataTable implements DataTableTypeInterface
$amount = $context->getAmountSum();
$expiredAmount = $context->getExpiredAmountSum();
- $ret = $this->amountFormatter->format($amount, $context->getPartUnit());
+ $ret = htmlspecialchars($this->amountFormatter->format($amount, $context->getPartUnit()));
//If we have expired lots, we show them in parentheses behind
if ($expiredAmount > 0) {
$ret .= sprintf(' (+%s)',
$this->translator->trans('part_lots.is_expired'),
- $this->amountFormatter->format($expiredAmount, $context->getPartUnit()));
+ htmlspecialchars($this->amountFormatter->format($expiredAmount, $context->getPartUnit())));
}
@@ -210,7 +210,7 @@ final class PartsDataTable implements DataTableTypeInterface
'label' => $this->translator->trans('part.table.minamount'),
'visible' => false,
'render' => function ($value, Part $context) {
- return $this->amountFormatter->format($value, $context->getPartUnit());
+ return htmlspecialchars($this->amountFormatter->format($value, $context->getPartUnit()));
},
]);
diff --git a/src/DataTables/ProjectBomEntriesDataTable.php b/src/DataTables/ProjectBomEntriesDataTable.php
index 8d7c839d..53b3e10d 100644
--- a/src/DataTables/ProjectBomEntriesDataTable.php
+++ b/src/DataTables/ProjectBomEntriesDataTable.php
@@ -84,7 +84,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
return round($context->getQuantity());
}
//Otherwise use the unit of the part to format the quantity
- return $this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit());
+ return htmlspecialchars($this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit()));
},
])
@@ -93,7 +93,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
'orderable' => false,
'render' => function ($value, ProjectBOMEntry $context) {
if($context->getPart() === null) {
- return $context->getName();
+ return htmlspecialchars($context->getName());
}
if($context->getPart() !== null) {
$tmp = $this->partDataTableHelper->renderName($context->getPart());
diff --git a/src/Services/ElementTypeNameGenerator.php b/src/Services/ElementTypeNameGenerator.php
index adee61ad..be325320 100644
--- a/src/Services/ElementTypeNameGenerator.php
+++ b/src/Services/ElementTypeNameGenerator.php
@@ -117,7 +117,7 @@ class ElementTypeNameGenerator
* It uses getLocalizedLabel to determine the type.
*
* @param NamedElementInterface $entity the entity for which the string should be generated
- * @param bool $use_html If set to true, a html string is returned, where the type is set italic
+ * @param bool $use_html If set to true, a html string is returned, where the type is set italic, and the name is escaped
*
* @return string The localized string
*
diff --git a/src/Services/LogSystem/LogEntryExtraFormatter.php b/src/Services/LogSystem/LogEntryExtraFormatter.php
index bfdaf379..74eded48 100644
--- a/src/Services/LogSystem/LogEntryExtraFormatter.php
+++ b/src/Services/LogSystem/LogEntryExtraFormatter.php
@@ -193,7 +193,7 @@ class LogEntryExtraFormatter
}
if ($context->getInstockChangeType() === PartStockChangedLogEntry::TYPE_MOVE) {
$array['log.part_stock_changed.move_target'] =
- $this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class)
+ htmlspecialchars($this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class))
.' ' . $context->getMoveToTargetID();
}
}