From 13239c27512253452afd7a88ff77139c85a5f4bb Mon Sep 17 00:00:00 2001
From: bdalsass <benjamin.dalsass@combodo.com>
Date: Fri, 23 May 2025 10:06:01 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B08201=20-=20[CVE=5FRequest]=5FCross-Site-?=
 =?UTF-8?q?Script=20Reflected(XSS=20Reflected=20at=20the=20name=3D"attr=5F?=
 =?UTF-8?q?installed"=20(Low=20or=20Medium)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pages/UI.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pages/UI.php b/pages/UI.php
index a4f8c9bbf..9294c41c6 100644
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -1989,7 +1989,7 @@ catch(CoreException $e)
 	{
 		$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");
 	}	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getHtmlDesc()));	
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getHtmlDesc())));
 	$oP->output();
 
 	if (MetaModel::IsLogEnabledIssue())
@@ -2025,7 +2025,7 @@ catch(Exception $e)
 	require_once(APPROOT.'/setup/setuppage.class.inc.php');
 	$oP = new ErrorPage(Dict::S('UI:PageTitle:FatalError'));
 	$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getMessage()));
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getMessage())));
 	$oP->output();
 
 	if (MetaModel::IsLogEnabledIssue())