Fixed potential XSS injection vectors in datatables columns

2025-07-10 10:24:31 +02:00 · 2023-02-26 01:23:36 +01:00 · 2023-02-26 01:23:36 +01:00 · 83cd91f1d1
commit 83cd91f1d1
parent 5f39d8e594
6 changed files with 10 additions and 10 deletions
--- a/src/Services/ElementTypeNameGenerator.php
+++ b/src/Services/ElementTypeNameGenerator.php
@ -117,7 +117,7 @@ class ElementTypeNameGenerator
     * It uses getLocalizedLabel to determine the type.
     *
     * @param NamedElementInterface $entity   the entity for which the string should be generated
-     * @param bool                  $use_html If set to true, a html string is returned, where the type is set italic
+     * @param bool                  $use_html If set to true, a html string is returned, where the type is set italic, and the name is escaped
     *
     * @return string The localized string
     *
--- a/src/Services/LogSystem/LogEntryExtraFormatter.php
+++ b/src/Services/LogSystem/LogEntryExtraFormatter.php
@ -193,7 +193,7 @@ class LogEntryExtraFormatter
            }
            if ($context->getInstockChangeType() === PartStockChangedLogEntry::TYPE_MOVE) {
                $array['log.part_stock_changed.move_target'] =
-                    $this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class)
+                    htmlspecialchars($this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class))
                    .' ' . $context->getMoveToTargetID();
            }
        }