From 963fae243cd48767e520ceda5953a518ecd306fe Mon Sep 17 00:00:00 2001
From: acognet <anne-catherine.cognet@combodo.com>
Date: Fri, 1 Oct 2021 09:20:13 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B03835=20-=20Make=20global=20pass=20on=20a?=
 =?UTF-8?q?ll=20inputs=20(objects,=20dashlets,=20...)=20to=20ensure=20XSS?=
 =?UTF-8?q?=20and=20double=20encoding=20have=20been=20dealt=20with?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/ui.extkeywidget.class.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/ui.extkeywidget.class.inc.php b/application/ui.extkeywidget.class.inc.php
index b48e6a320..61db04e47 100644
--- a/application/ui.extkeywidget.class.inc.php
+++ b/application/ui.extkeywidget.class.inc.php
@@ -243,7 +243,7 @@ class UIExtKeyWidget
 					foreach ($aAdditionalField as $sAdditionalField) {
 						array_push($aArguments, $oObj->Get($sAdditionalField));
 					}
-					$aOption['additional_field'] = vsprintf($sFormatAdditionalField, $aArguments);
+					$aOption['additional_field'] = utils::HtmlEntities(vsprintf($sFormatAdditionalField, $aArguments));
 				}
 				if (!empty($sObjectImageAttCode)) {
 					// Try to retrieve image for contact