From 09be84f69da0fe44221f63b8c2db041bdf7dd7f9 Mon Sep 17 00:00:00 2001
From: Stephen Abello <stephen.abello@combodo.com>
Date: Mon, 13 Nov 2023 11:18:40 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B06908=20-=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../display-block/block-chart-ajax-bars/layout.js.twig          | 2 +-
 .../display-block/block-chart-ajax-pie/layout.js.twig           | 2 +-
 templates/application/display-block/block-csv/layout.js.twig    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/application/display-block/block-chart-ajax-bars/layout.js.twig b/templates/application/display-block/block-chart-ajax-bars/layout.js.twig
index 8144a5407..c807cb0df 100644
--- a/templates/application/display-block/block-chart-ajax-bars/layout.js.twig
+++ b/templates/application/display-block/block-chart-ajax-bars/layout.js.twig
@@ -61,7 +61,7 @@ if (typeof(charts) === "undefined")
 }
 var idxChart=charts.length;
 charts.push(chart);
-var refreshChart{{ oUIBlock.sId|sanitize(constant('utils::ENUM_SANITIZATION_FILTER_VARIABLE_NAME')) }} = '$.post("{{ oUIBlock.sURLForRefresh|raw }}&refresh='+idxChart+'","", function (data) {'+
+var refreshChart{{ oUIBlock.sId|sanitize(constant('utils::ENUM_SANITIZATION_FILTER_VARIABLE_NAME')) }} = '$.post("{{ oUIBlock.sURLForRefresh|escape('js') }}&refresh='+idxChart+'","", function (data) {'+
 														'charts['+idxChart+'].unload();'+
 														'setTimeout(function () {eval(data.js);},50);'+
 													'})';
diff --git a/templates/application/display-block/block-chart-ajax-pie/layout.js.twig b/templates/application/display-block/block-chart-ajax-pie/layout.js.twig
index cbe1902ca..cadea9a30 100644
--- a/templates/application/display-block/block-chart-ajax-pie/layout.js.twig
+++ b/templates/application/display-block/block-chart-ajax-pie/layout.js.twig
@@ -39,7 +39,7 @@ if (typeof (charts) === "undefined")
 }
 var idxChart = charts.length;
 charts.push(chart);
-var refreshChart{{ oUIBlock.sId|sanitize(constant('utils::ENUM_SANITIZATION_FILTER_VARIABLE_NAME')) }}='	$.post("{{ oUIBlock.sURLForRefresh|raw }}&refresh='+idxChart+'","", function (data) {'+
+var refreshChart{{ oUIBlock.sId|sanitize(constant('utils::ENUM_SANITIZATION_FILTER_VARIABLE_NAME')) }}='	$.post("{{ oUIBlock.sURLForRefresh|escape('js')}}&refresh='+idxChart+'","", function (data) {'+
 															'charts['+idxChart+'].unload();'+
 															'setTimeout(function () {eval(data.js);},50);'+
 														'});';
diff --git a/templates/application/display-block/block-csv/layout.js.twig b/templates/application/display-block/block-csv/layout.js.twig
index 452973175..657c6fc9d 100644
--- a/templates/application/display-block/block-csv/layout.js.twig
+++ b/templates/application/display-block/block-csv/layout.js.twig
@@ -2,7 +2,7 @@
 {# @license     http://opensource.org/licenses/AGPL-3.0 #}
 {% apply spaceless %}
 $.post(
-    '{{ oUIBlock.sAjaxLink|raw }}',
+    '{{ oUIBlock.sAjaxLink|escape('js') }}',
     {{ oUIBlock.sJsonParams|raw }},
     function(data) {
         $('#csv_content').html(data);