bugfix: avoid XSS in cash source forms (LMS #1910)

chilek · Jul 18, 2022 · c3892ef · c3892ef
1 parent 995fdf8
commit c3892ef
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/templates/default/cash/cashsourceadd.html b/templates/default/cash/cashsourceadd.html
@@ -50,7 +50,7 @@ <h1>{$layout.pagetitle}</h1>
 			</td>
 			<td>
 				<textarea rows="5" cols="50" name="sourceadd[description]" form="sourceadd"
-					{tip text="Enter additional information (optional)" trigger="description"}>{$sourceadd.description}</textarea>
+					{tip text="Enter additional information (optional)" trigger="description"}>{$sourceadd.description|escape}</textarea>
 			</td>
 		</tr>
 		<tr>

diff --git a/templates/default/cash/cashsourceedit.html b/templates/default/cash/cashsourceedit.html
@@ -51,7 +51,7 @@ <h1>{$layout.pagetitle}</h1>
 			</td>
 			<td>
 				<textarea rows="5" cols="50" name="sourceedit[description]" form="sourceedit"
-					{tip text="Enter additional information (optional)" trigger="value"}>{$sourceedit.description}</textarea>
+					{tip text="Enter additional information (optional)" trigger="value"}>{$sourceedit.description|escape}</textarea>
 			</td>
 		</tr>
 		<tr>

diff --git a/templates/default/cash/cashsourcelist.html b/templates/default/cash/cashsourcelist.html
@@ -54,7 +54,7 @@ <H1>{$layout.pagetitle}</H1>
 					{if $source.isdefault}{icon name="checked" tip="yes"}{/if}
 				</td>
 				<td data-target-url="?m=cashsourceedit&id={$source.id}">
-					{$source.description}
+					{$source.description|escape}
 				</td>
 				<td class="text-right nobr">
 					{if $source.deleted == 1}