mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-23 02:09:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Fixed potential XSS injection vectors in datatables columns

Browse source
This commit is contained in:
Jan Böhmer 2023-02-26 01:23:36 +01:00
parent 5f39d8e594
commit 83cd91f1d1
6 changed files with 10 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/DataTables/ProjectBomEntriesDataTable.php
View file

@ -84,7 +84,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
return round($context->getQuantity());
}
//Otherwise use the unit of the part to format the quantity
return $this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit());
return htmlspecialchars($this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit()));
},
])
@ -93,7 +93,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
'orderable' => false,
'render' => function ($value, ProjectBOMEntry $context) {
if($context->getPart() === null) {
return $context->getName();
return htmlspecialchars($context->getName());
}
if($context->getPart() !== null) {
$tmp = $this->partDataTableHelper->renderName($context->getPart());