From 37069161103cb828ed896d65e29dab5d2a115086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come@opensides.be>
Date: Mon, 5 Nov 2018 10:55:01 +0100
Subject: [PATCH] :ambulance: fix(password recovery) Escape HTML from input
 fields

This is a work-around to avoid javascript injection. The better way
 would be for msg_dialog to escape error text but that would cause
 problem elsewhere, so in the mean time we escape here.

issue #5918
---
 html/class_passwordRecovery.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/html/class_passwordRecovery.inc b/html/class_passwordRecovery.inc
index e286ec92b..965dfeeca 100644
--- a/html/class_passwordRecovery.inc
+++ b/html/class_passwordRecovery.inc
@@ -477,10 +477,10 @@ class passwordRecovery extends standAlonePage {
     $ldap->search($filter, array('dn'));
 
     if ($ldap->count() < 1) {
-      $this->message[] = sprintf(_('Did not find an account with login "%s"'), $this->login);
+      $this->message[] = sprintf(_('Did not find an account with login "%s"'), htmlentities($this->login, ENT_COMPAT, 'UTF-8'));
       return;
     } elseif ($ldap->count() > 1) {
-      $this->message[] = sprintf(_('Found multiple accounts with login "%s"'), $this->login);
+      $this->message[] = sprintf(_('Found multiple accounts with login "%s"'), htmlentities($this->login, ENT_COMPAT, 'UTF-8'));
       return;
     }
 
@@ -513,10 +513,10 @@ class passwordRecovery extends standAlonePage {
 
     /* Only one ldap node should be found */
     if ($ldap->count() < 1) {
-      $this->message[] = sprintf(_('There is no account using email "%s"'), $this->email_address);
+      $this->message[] = sprintf(_('There is no account using email "%s"'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     } elseif ($ldap->count() > 1) {
-      $this->message[] = sprintf(_('There are several accounts using email "%s"'), $this->email_address);
+      $this->message[] = sprintf(_('There are several accounts using email "%s"'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     }
 
@@ -524,7 +524,7 @@ class passwordRecovery extends standAlonePage {
 
     $method = passwordMethod::get_method($attrs['userPassword'][0], $attrs['dn']);
     if (is_object($method) && $method->is_locked($attrs['dn'])) {
-      $this->message[] = sprintf(_('The user using email "%s" is locked. Please contact your administrator.'), $this->email_address);
+      $this->message[] = sprintf(_('The user using email "%s" is locked. Please contact your administrator.'), htmlentities($this->email_address, ENT_COMPAT, 'UTF-8'));
       return;
     }
     $this->login  = $attrs[$this->loginAttribute][0];
-- 
GitLab