bugfix: avoid XSS in customer group list with description field (LMS #…

…1910)
chilek · Apr 8, 2021 · 50ba542 · 50ba542
1 parent 5ae67b0
commit 50ba542
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/templates/default/balance/balancenew.html b/templates/default/balance/balancenew.html
@@ -197,7 +197,7 @@ <H1>{$layout.pagetitle}</H1>
 						</td>
 						<td>
 							<textarea name="addbalance[comment]" rows="5" cols="50" {tip text="Enter comment"}
-								form="addbalance">{$comment|replace:"\n":"<BR>"}</textarea>
+								form="addbalance">{$comment|escape|replace:"\n":"<BR>"}</textarea>
 						</td>
 					</tr>
 					<tr>
@@ -296,7 +296,7 @@ <H1>{$layout.pagetitle}</H1>
 							<table width="100%" cellpadding="5">
 								<tr>
 									<td class="fall superlight">
-										{$last.comment|replace:"\n":"<BR>"}
+										{$last.comment|escape|replace:"\n":"<BR>"}
 									</td>
 								</tr>
 							</table>