From 72a81a3accaef60e5dd993b7e4d3483b81da90e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Thu, 25 Jun 2020 11:09:55 +0200
Subject: [PATCH] :ambulance: fix(core) Escape text in INFO dialogs

issue #6071
---
 html/main.php                                  | 2 +-
 include/simpleplugin/class_simplePlugin.inc    | 2 +-
 plugins/admin/groups/class_groupManagement.inc | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/main.php b/html/main.php
index 4cc898d6e..6cc1799e8 100644
--- a/html/main.php
+++ b/html/main.php
@@ -113,7 +113,7 @@ if (($expired == POSIX_WARN_ABOUT_EXPIRATION) && !session::is_set('POSIX_WARN_AB
 
   // The users password is about to expire soon, display a warning message.
   logging::log('security', 'fusiondirectory', '', [], 'password for user "'.$ui->uid.'" is about to expire');
-  msg_dialog::display(_('Password change'), _('Your password is about to expire, please change your password!'), INFO_DIALOG);
+  msg_dialog::display(_('Password change'), htmlescape(_('Your password is about to expire, please change your password!')), INFO_DIALOG);
   session::set('POSIX_WARN_ABOUT_EXPIRATION__DONE', TRUE);
 } elseif ($expired == POSIX_FORCE_PASSWORD_CHANGE) {
   logging::debug(DEBUG_TRACE, __LINE__, __FUNCTION__, __FILE__, $expired, 'This user account expired');
diff --git a/include/simpleplugin/class_simplePlugin.inc b/include/simpleplugin/class_simplePlugin.inc
index 666b8b8cb..dbf737d70 100644
--- a/include/simpleplugin/class_simplePlugin.inc
+++ b/include/simpleplugin/class_simplePlugin.inc
@@ -1570,7 +1570,7 @@ class simplePlugin implements SimpleTab
         $str = implode("\n", $arr);
         logging::debug(DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, 'Output: '.$str);
         if (!empty($str) && $config->get_cfg_value('displayHookOutput', 'FALSE') == 'TRUE') {
-          msg_dialog::display('['.get_class($this).' '.strtolower($cmd).'trigger] '.$command, $str, INFO_DIALOG);
+          msg_dialog::display('['.get_class($this).' '.strtolower($cmd).'trigger] '.$command, htmlescape($str), INFO_DIALOG);
         }
       }
     }
diff --git a/plugins/admin/groups/class_groupManagement.inc b/plugins/admin/groups/class_groupManagement.inc
index e1ce7c4ec..e6f059193 100644
--- a/plugins/admin/groups/class_groupManagement.inc
+++ b/plugins/admin/groups/class_groupManagement.inc
@@ -192,12 +192,12 @@ class groupManagement extends management
           $error->display();
         } else {
           if (is_array($res) && count($res) > 1) {
-            msg_dialog::display(_('Action triggered'), sprintf(_('Action called without error (results were "%s")'), implode(', ', $res)), INFO_DIALOG);
+            msg_dialog::display(_('Action triggered'), htmlescape(sprintf(_('Action called without error (results were "%s")'), implode(', ', $res))), INFO_DIALOG);
           } else {
             if (is_array($res)) {
               $res = $res[0];
             }
-            msg_dialog::display(_('Action triggered'), sprintf(_('Action called without error (result was "%s")'), $res), INFO_DIALOG);
+            msg_dialog::display(_('Action triggered'), htmlescape(sprintf(_('Action called without error (result was "%s")'), $res)), INFO_DIALOG);
           }
         }
         $this->closeDialogs();
-- 
GitLab