From 469e2e6e0ee0ccdcab058d24463e12a36af75d19 Mon Sep 17 00:00:00 2001 From: Stephen Abello Date: Tue, 30 Nov 2021 09:54:25 +0100 Subject: [PATCH] =?UTF-8?q?N=C2=B03835=20Tagset's=20tooltip=20security=20h?= =?UTF-8?q?ardening?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/attributedef.class.inc.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/core/attributedef.class.inc.php b/core/attributedef.class.inc.php index cfb29d1e4..668bd0ea3 100644 --- a/core/attributedef.class.inc.php +++ b/core/attributedef.class.inc.php @@ -10852,7 +10852,7 @@ class AttributeClassAttCodeSet extends AttributeSet } } - $sLabelForHtmlAttribute = MetaModel::GetLabel($sAttClass, $sAttCode)." ($sAttCode)"; + $sLabelForHtmlAttribute = utils::HtmlEntities(MetaModel::GetLabel($sAttClass, $sAttCode)." ($sAttCode)"); $aLocalizedValues[] = ''.$sAttCode.''; } catch (Exception $e) { @@ -11045,7 +11045,7 @@ class AttributeQueryAttCodeSet extends AttributeSet $aLocalizedValues = array(); foreach ($value as $sAttCode) { if (isset($aAllowedAttributes[$sAttCode])) { - $sLabelForHtmlAttribute = $aAllowedAttributes[$sAttCode]; + $sLabelForHtmlAttribute = utils::HtmlEntities($aAllowedAttributes[$sAttCode]); $aLocalizedValues[] = ''.$sAttCode.''; } } @@ -11594,13 +11594,14 @@ class AttributeTagSet extends AttributeSet $sTooltipContent = $sTagLabel; $sTooltipHtmlEnabled = 'false'; } else { + $sTagLabelEscaped = utils::EscapeHtml($sTagLabel); $sTooltipContent = <<$sTagLabel +

$sTagLabelEscaped

$sTagDescription
HTML; $sTooltipHtmlEnabled = 'true'; } - $sTooltipContent = utils::EscapeHtml($sTooltipContent); + $sTooltipContent = utils::HtmlEntities($sTooltipContent); $sHtml .= ''.$sLabelForHtml.''; }