fix prod escaping

2025-10-13 21:13:26 +00:00 · 2018-11-22 14:32:42 +04:00
parent 06e30750e4
commit c58ed45333
4 changed files with 6 additions and 6 deletions
--- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
@@ -597,7 +597,7 @@ class PushController extends Controller

    private function formatUser(User $user)
    {
-        $subtitle = array_filter([$user->getJob(), $user->getCompany()]);
+        $subtitle = array_filter([htmlspecialchars($user->getJob()), htmlspecialchars($user->getCompany())]);

        return [
            'type'         => 'USER',
--- a/lib/classes/record/adapter.php
+++ b/lib/classes/record/adapter.php
@@ -939,7 +939,7 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
            $this->set_data_to_cache(self::CACHE_TITLE, $title);
        }

-        return $title;
+        return htmlspecialchars($title);
    }

    /**
--- a/lib/classes/record/preview.php
+++ b/lib/classes/record/preview.php
@@ -149,7 +149,7 @@ class record_preview extends record_adapter
                        $this->original_item = $element;
                        $sbas_id = $element->getSbasId();
                        $record_id = $element->getRecordId();
-                        $this->name = $Basket->getName();
+                        $this->name = htmlspecialchars($Basket->getName());
                        $number = $element->getOrd();
                        $first = false;
                    }
@@ -169,7 +169,7 @@ class record_preview extends record_adapter
                    if ($element->getOrd() == $pos || $first) {
                        $sbas_id = $element->getSbasId();
                        $record_id = $element->getRecordId();
-                        $this->name = $entry->getTitle();
+                        $this->name = htmlspecialchars($entry->getTitle());
                        $this->original_item = $element;
                        $number = $element->getOrd();
                        $first = false;
--- a/templates/web/prod/WorkZone/Macros.html.twig
+++ b/templates/web/prod/WorkZone/Macros.html.twig
@@ -19,7 +19,7 @@
                <img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
              {% endif %}
              <img src='/assets/common/images/icons/basket.png' title=''/>
-              {{basket.getName()}}
+              {{basket.getName()|e}}
            </span>
          </a>
          <div class="menu">
@@ -99,7 +99,7 @@
              {% else %}
                <img src='/assets/common/images/icons/basket.png' title=''/>
              {% endif %}
-              {{basket.getName()}}
+              {{basket.getName()|e}}
            </span>
          </a>
          <div class="menu">