From ae8b383deffd861fd5c168476fa41c369a907de2 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 24 Jul 2025 20:43:29 +0200 Subject: [PATCH] fix potential XSS attack in many fields of settings --- CHANGELOG | 1 + views/bootstrap/class.Settings.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index f861270d1..a61862b0e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -15,6 +15,7 @@ - show how many users have to review/approve a document and how many did already (in menu task list and document list) - break long original file names on viewDocument page +- fix potential XSS attack in many fields of settings -------------------------------------------------------------------------------- Changes in version 5.1.40 diff --git a/views/bootstrap/class.Settings.php b/views/bootstrap/class.Settings.php index 74430c4e9..af73f2ef4 100644 --- a/views/bootstrap/class.Settings.php +++ b/views/bootstrap/class.Settings.php @@ -151,7 +151,7 @@ class SeedDMS_View_Settings extends SeedDMS_Theme_Style { $value = $settings->{"_".$name}; echo " "; if($this->isVisible($name)) - $this->showTextField($name, $value, ($type=='password' || $type=='textarea' ? $type : ''), $placeholder ? $placeholder : getMLText($title."_placeholder", [], "")); + $this->showTextField($name, htmlspecialchars($value), ($type=='password' || $type=='textarea' ? $type : ''), $placeholder ? $placeholder : getMLText($title."_placeholder", [], "")); else echo getMLText('settings_conf_field_not_editable'); echo "\n";