mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-07-04 23:44:33 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed potential XSS injection vectors in datatables columns

Browse source
This commit is contained in:
Jan Böhmer 2023-02-26 01:23:36 +01:00
parent 5f39d8e594
commit 83cd91f1d1
6 changed files with 10 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/DataTables/PartsDataTable.php
View file

@ -177,7 +177,7 @@ final class PartsDataTable implements DataTableTypeInterface
$tmp[] = sprintf(
'<a href="%s">%s</a>',
$this->urlGenerator->listPartsURL($lot->getStorageLocation()),
$lot->getStorageLocation()->getName()
htmlspecialchars($lot->getStorageLocation()->getName())
);
}
@ -192,13 +192,13 @@ final class PartsDataTable implements DataTableTypeInterface
$amount = $context->getAmountSum();
$expiredAmount = $context->getExpiredAmountSum();
$ret = $this->amountFormatter->format($amount, $context->getPartUnit());
$ret = htmlspecialchars($this->amountFormatter->format($amount, $context->getPartUnit()));
//If we have expired lots, we show them in parentheses behind
if ($expiredAmount > 0) {
$ret .= sprintf(' <span title="%s" class="text-muted">(+%s)</span>',
$this->translator->trans('part_lots.is_expired'),
$this->amountFormatter->format($expiredAmount, $context->getPartUnit()));
htmlspecialchars($this->amountFormatter->format($expiredAmount, $context->getPartUnit())));
}
@ -210,7 +210,7 @@ final class PartsDataTable implements DataTableTypeInterface
'label' => $this->translator->trans('part.table.minamount'),
'visible' => false,
'render' => function ($value, Part $context) {
return $this->amountFormatter->format($value, $context->getPartUnit());
return htmlspecialchars($this->amountFormatter->format($value, $context->getPartUnit()));
},
]);