From 81b20ee5831a3edcb4ac8f4ea4749612c64b97c0 Mon Sep 17 00:00:00 2001
From: bdalsass <benjamin.dalsass@combodo.com>
Date: Fri, 23 May 2025 08:42:56 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B08168=20-=20Stored=20XSS=20in=20portals?=
 =?UTF-8?q?=20lnk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../fieldrenderer/bslinkedsetfieldrenderer.class.inc.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
index 75159cf3b..2d8dd4374 100644
--- a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
+++ b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
@@ -611,7 +611,7 @@ JS
 					if ($oAttDef->IsExternalKey())
 					{
 						/** @var \AttributeExternalKey $oAttDef */
-						$aAttProperties['value'] = $oRemoteItem->Get($sAttCode . '_friendlyname');
+						$aAttProperties['value'] = \Str::pure2html($oRemoteItem->Get($sAttCode . '_friendlyname'));
 
 						// Checking if user can access object's external key
 						$sObjectUrl = ApplicationContext::MakeObjectUrl($oAttDef->GetTargetClass(), $oRemoteItem->Get($sAttCode));