From 72427bd05962af52ce4805fd1c084be389e49e99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Chili=C5=84ski?= <tomasz.chilinski@chilan.com>
Date: Wed, 28 Apr 2021 19:39:25 +0200
Subject: [PATCH] bugfix: avoid XSS in user name presentation (LMS #1910)

---
 templates/default/invoice/invoice.html  | 2 +-
 templates/default/note/note.html        | 2 +-
 templates/default/user/useradd.html     | 4 ++--
 templates/default/user/usereditbox.html | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/default/invoice/invoice.html b/templates/default/invoice/invoice.html
index 59029e4a93..8628436228 100644
--- a/templates/default/invoice/invoice.html
+++ b/templates/default/invoice/invoice.html
@@ -450,7 +450,7 @@
 		</TD>
 		<TD WIDTH="50%" ALIGN="RIGHT" ROWSPAN="2">
 			{if !ConfigHelper::checkConfig('invoices.hide_expositor')}
-				{trans("Expositor:")} {if $invoice.user}{$invoice.user}{elseif $invoice.division_author}{$invoice.division_author}{else}{trans("system")}{/if}
+				{trans("Expositor:")} {if $invoice.user}{$invoice.user|escape}{elseif $invoice.division_author}{$invoice.division_author|escape}{else}{trans("system")}{/if}
 			{/if}
 		</TD>
 	</TR>
diff --git a/templates/default/note/note.html b/templates/default/note/note.html
index 298bae0b54..39ab6286ad 100644
--- a/templates/default/note/note.html
+++ b/templates/default/note/note.html
@@ -5,7 +5,7 @@
 <BR>
 {trans("Deadline:")} {$note.pdate|date_format:"%Y/%m/%d"}
 <BR>
-{trans("Expositor:")} {if $note.user}{$note.user}{else}{$note.division_author}{/if}
+{trans("Expositor:")} {if $note.user}{$note.user|escape}{else}{$note.division_author|escape}{/if}
 </DIV>
 
 <H2 align="center" class="hdf">
diff --git a/templates/default/user/useradd.html b/templates/default/user/useradd.html
index 98c5543bd8..a01906d295 100644
--- a/templates/default/user/useradd.html
+++ b/templates/default/user/useradd.html
@@ -53,7 +53,7 @@ <H1>{$layout.pagetitle}</H1>
 			<IMG src="img/users.gif" alt=""> {trans("First name:")}
 		</TD>
 		<TD>
-			<INPUT type="text" name="useradd[firstname]" value="{$useradd.firstname}" size="40" required {tip text="Enter user first name" trigger="firstname"}>
+			<INPUT type="text" name="useradd[firstname]" value="{$useradd.firstname|escape}" size="40" required {tip text="Enter user first name" trigger="firstname"}>
 		</TD>
 	</TR>
 	<TR>
@@ -61,7 +61,7 @@ <H1>{$layout.pagetitle}</H1>
 			<IMG src="img/users.gif" alt=""> {trans("Last name:")}
 		</TD>
 		<TD>
-			<INPUT type="text" name="useradd[lastname]" value="{$useradd.lastname}" size="40" required {tip text="Enter user last name" trigger="lastname"}>
+			<INPUT type="text" name="useradd[lastname]" value="{$useradd.lastname|escape}" size="40" required {tip text="Enter user last name" trigger="lastname"}>
 		</TD>
 	</TR>
 	<TR>
diff --git a/templates/default/user/usereditbox.html b/templates/default/user/usereditbox.html
index e08b3d8160..30093f43f3 100644
--- a/templates/default/user/usereditbox.html
+++ b/templates/default/user/usereditbox.html
@@ -53,7 +53,7 @@
 			{trans("First name:")}
 		</TD>
 		<TD>
-			<INPUT type="text" name="userinfo[firstname]" value="{$userinfo.firstname}" required size="40" {tip text="Enter user first name" trigger="firstname"}>
+			<INPUT type="text" name="userinfo[firstname]" value="{$userinfo.firstname|escape}" required size="40" {tip text="Enter user first name" trigger="firstname"}>
 		</TD>
 	</TR>
 	<TR>
@@ -64,7 +64,7 @@
 			{trans("Last name:")}
 		</TD>
 		<TD>
-			<INPUT type="text" name="userinfo[lastname]" value="{$userinfo.lastname}" required size="40" {tip text="Enter user last name" trigger="lastname"}>
+			<INPUT type="text" name="userinfo[lastname]" value="{$userinfo.lastname|escape}" required size="40" {tip text="Enter user last name" trigger="lastname"}>
 		</TD>
 	</TR>
 	<TR>