From c58ed453334a0dd5ae4bd5d0a23a85e65ca36dc2 Mon Sep 17 00:00:00 2001
From: aina-esokia <asr@esokia-webagency.com>
Date: Thu, 22 Nov 2018 14:32:42 +0400
Subject: [PATCH] fix prod escaping

---
 lib/Alchemy/Phrasea/Controller/Prod/PushController.php | 2 +-
 lib/classes/record/adapter.php                         | 2 +-
 lib/classes/record/preview.php                         | 4 ++--
 templates/web/prod/WorkZone/Macros.html.twig           | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
index 569537fed3..35b3a3bc42 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
@@ -597,7 +597,7 @@ class PushController extends Controller
 
     private function formatUser(User $user)
     {
-        $subtitle = array_filter([$user->getJob(), $user->getCompany()]);
+        $subtitle = array_filter([htmlspecialchars($user->getJob()), htmlspecialchars($user->getCompany())]);
 
         return [
             'type'         => 'USER',
diff --git a/lib/classes/record/adapter.php b/lib/classes/record/adapter.php
index e49904424a..37320f64a3 100644
--- a/lib/classes/record/adapter.php
+++ b/lib/classes/record/adapter.php
@@ -939,7 +939,7 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
             $this->set_data_to_cache(self::CACHE_TITLE, $title);
         }
 
-        return $title;
+        return htmlspecialchars($title);
     }
 
     /**
diff --git a/lib/classes/record/preview.php b/lib/classes/record/preview.php
index dd0ae0fe43..1c88f6e94e 100644
--- a/lib/classes/record/preview.php
+++ b/lib/classes/record/preview.php
@@ -149,7 +149,7 @@ class record_preview extends record_adapter
                         $this->original_item = $element;
                         $sbas_id = $element->getSbasId();
                         $record_id = $element->getRecordId();
-                        $this->name = $Basket->getName();
+                        $this->name = htmlspecialchars($Basket->getName());
                         $number = $element->getOrd();
                         $first = false;
                     }
@@ -169,7 +169,7 @@ class record_preview extends record_adapter
                     if ($element->getOrd() == $pos || $first) {
                         $sbas_id = $element->getSbasId();
                         $record_id = $element->getRecordId();
-                        $this->name = $entry->getTitle();
+                        $this->name = htmlspecialchars($entry->getTitle());
                         $this->original_item = $element;
                         $number = $element->getOrd();
                         $first = false;
diff --git a/templates/web/prod/WorkZone/Macros.html.twig b/templates/web/prod/WorkZone/Macros.html.twig
index 04f3d3d735..7aa678ba6b 100644
--- a/templates/web/prod/WorkZone/Macros.html.twig
+++ b/templates/web/prod/WorkZone/Macros.html.twig
@@ -19,7 +19,7 @@
                 <img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
               {% endif %}
               <img src='/assets/common/images/icons/basket.png' title=''/>
-              {{basket.getName()}}
+              {{basket.getName()|e}}
             </span>
           </a>
           <div class="menu">
@@ -99,7 +99,7 @@
               {% else %}
                 <img src='/assets/common/images/icons/basket.png' title=''/>
               {% endif %}
-              {{basket.getName()}}
+              {{basket.getName()|e}}
             </span>
           </a>
           <div class="menu">