From 5ba0f7048556e237dc1117363cf95ca5a0b2507f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Wed, 10 Oct 2018 08:58:18 +0200
Subject: [PATCH] :ambulance: fix(msg_dialog) Escape HTML in error dialogs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We’ll need to check there is no error message which actually needs HTML.
issue #5907
---
ihtml/themes/breezy/msg_dialog.tpl | 4 ++--
include/class_msg_dialog.inc | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/ihtml/themes/breezy/msg_dialog.tpl b/ihtml/themes/breezy/msg_dialog.tpl
index a10127140..1189491b2 100644
--- a/ihtml/themes/breezy/msg_dialog.tpl
+++ b/ihtml/themes/breezy/msg_dialog.tpl
@@ -41,12 +41,12 @@
{elseif $i_Type == $smarty.const.INFO_DIALOG || $i_Type == $smarty.const.CONFIRM_DIALOG}
<img src="geticon.php?context=status&icon=dialog-information&size=32" class="center" alt="{t}Information{/t}"/>
{/if}
- {$s_Title}
+ {$s_Title|escape}
</h2>
</div>
<div style="z-index:250;width:100%;">
- {$s_Message}
+ {$s_Message|escape}
</div>
<div class="plugbottom">
{if $s_Trace != "" && $i_TraceCnt != 0}
diff --git a/include/class_msg_dialog.inc b/include/class_msg_dialog.inc
index 911606ffb..f14e6acaf 100644
--- a/include/class_msg_dialog.inc
+++ b/include/class_msg_dialog.inc
@@ -172,8 +172,8 @@ class msg_dialog
<img src="geticon.php?context=status&icon=dialog-error&size=32" alt="'._('Error').'"/>
</td>
<td style="width:100%">
- <b>'.$this->s_Title.'</b><br/>
- '.$this->s_Message.'<br><br/>
+ <b>'.htmlentities($this->s_Title, ENT_COMPAT, 'UTF-8').'</b><br/>
+ '.htmlentities($this->s_Message, ENT_COMPAT, 'UTF-8').'<br><br/>
'._('Please fix the above error and reload the page.').'
</td>
</tr>
--
GitLab