From c899e0bdd9d7173129f039c4d725e7e7d3519a74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Mon, 5 Nov 2018 14:41:11 +0000
Subject: [PATCH] Merge branch
 '5918-password-recovery-does-not-escape-fields-in-error-messages' into
 '1.3-dev'

Resolve "Password recovery does not escape fields in error messages" in 1.3-dev

See merge request fusiondirectory/fd!445

(cherry picked from commit 555054251280ba2708af4eb39b6413c935ba72d8)

37069161 :ambulance: fix(password recovery) Escape HTML from input fields
---
 html/class_passwordRecovery.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/html/class_passwordRecovery.inc b/html/class_passwordRecovery.inc
index 53d0f6d41..ce3b55a5b 100644
--- a/html/class_passwordRecovery.inc
+++ b/html/class_passwordRecovery.inc
@@ -476,10 +476,10 @@ class passwordRecovery extends standAlonePage {
     $ldap->search($filter, array('dn'));
 
     if ($ldap->count() < 1) {
-      $this->message[] = sprintf(_('Did not find an account with login "%s"'), $this->login);
+      $this->message[] = sprintf(_('Did not find an account with login "%s"'), htmlentities($this->login, ENT_COMPAT, 'UTF-8'));
       return;
     } elseif ($ldap->count() > 1) {
-      $this->message[] = sprintf(_('Found multiple accounts with login "%s"'), $this->login);
+      $this->message[] = sprintf(_('Found multiple accounts with login "%s"'), htmlentities($this->login, ENT_COMPAT, 'UTF-8'));
       return;
     }
 
@@ -512,10 +512,10 @@ class passwordRecovery extends standAlonePage {
 
     /* Only one ldap node should be found */
     if ($ldap->count() < 1) {
-      $this->message[] = sprintf(_('There is no account using email "%s"'), $this->email_address);
+      $this->message[] = sprintf(_('There is no account using email "%s"'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     } elseif ($ldap->count() > 1) {
-      $this->message[] = sprintf(_('There are several accounts using email "%s"'), $this->email_address);
+      $this->message[] = sprintf(_('There are several accounts using email "%s"'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     }
 
@@ -523,7 +523,7 @@ class passwordRecovery extends standAlonePage {
 
     $method = passwordMethod::get_method($attrs['userPassword'][0], $attrs['dn']);
     if (is_object($method) && $method->is_locked($attrs['dn'])) {
-      $this->message[] = sprintf(_('The user using email "%s" is locked. Please contact your administrator.'), $this->email_address);
+      $this->message[] = sprintf(_('The user using email "%s" is locked. Please contact your administrator.'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     }
     $this->login = $attrs[$this->loginAttribute][0];
-- 
GitLab