From f567f581c36081811705f9b792354c290e737efc Mon Sep 17 00:00:00 2001 From: Molkobain Date: Thu, 18 Mar 2021 20:22:55 +0100 Subject: [PATCH] =?UTF-8?q?N=C2=B03581=20-=20Dashlet=20plain=20text:=20Fix?= =?UTF-8?q?=20line=20returns=20while=20keeping=20XSS=20protection?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/dashlet.class.inc.php | 1 + .../base/components/dashlet/dashlet-plain-text.html.twig | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/application/dashlet.class.inc.php b/application/dashlet.class.inc.php index e22b02525..63a1f9413 100644 --- a/application/dashlet.class.inc.php +++ b/application/dashlet.class.inc.php @@ -849,6 +849,7 @@ class DashletPlainText extends Dashlet public function Render($oPage, $bEditMode = false, $aExtraParams = array()) { $sText = $this->aProperties['text']; + $sText = utils::EscapeHtml($sText); $sText = str_replace(array("\r\n", "\n", "\r"), "
", $sText); $sId = 'plaintext_'.($bEditMode ? 'edit_' : '').$this->sId; diff --git a/templates/base/components/dashlet/dashlet-plain-text.html.twig b/templates/base/components/dashlet/dashlet-plain-text.html.twig index c4e372de6..619c646b5 100644 --- a/templates/base/components/dashlet/dashlet-plain-text.html.twig +++ b/templates/base/components/dashlet/dashlet-plain-text.html.twig @@ -1,5 +1,8 @@ {# @copyright Copyright (C) 2010-2021 Combodo SARL #} {# @license http://opensource.org/licenses/AGPL-3.0 #} {% apply spaceless %} -
{{ oUIBlock.GetText() }}
+
+ {# |raw filter is ok here as the escaping is already done by the \DashletPlainText class itself #} + {{ oUIBlock.GetText()|raw }} +
{% endapply %} \ No newline at end of file