From e0b9544bd568f3cd5e5417f0fbaefd96246ee247 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Fri, 30 Jan 2026 08:15:26 +0100
Subject: [PATCH] fix potential XSS attack on search page

---
 CHANGELOG                        | 1 +
 views/bootstrap/class.Search.php | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1a88a88f6..83b57f5e8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@
 - show document preview when editing attributes of a document
 - fix utilities which require translations
 - fix potential XSS attack when deleting a folder/document
+- fix potential XSS attack on search page
 - links to operations on folders/documents can be put into a dropdown menu
 - check for secure password when adding a new user
 - secure password check can be turned off for admins
diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php
index 4765db9b8..5c69e5d87 100644
--- a/views/bootstrap/class.Search.php
+++ b/views/bootstrap/class.Search.php
@@ -1109,7 +1109,7 @@ $(document).ready(function() {
 						if($values) {
 						$tmp = explode('_', $facetname);
 						if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
-							$dispname = $attrdef->getName();
+							$dispname = htmlspecialchars($attrdef->getName());
 							switch($attrdef->getType()) {
 							case 556: //SeedDMS_Core_AttributeDefinition::type_int:
 								$this->formField(
@@ -1227,7 +1227,7 @@ $(document).ready(function() {
 					if(substr($facetname, 0, 5) == 'attr_') {
 						$tmp = explode('_', $facetname);
 						if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
-							$dispname = $attrdef->getName();
+							$dispname = htmlspecialchars($attrdef->getName());
 							/* Create a link to remove the filter */
 							$allparams = $request->query->all();
 							if(isset($allparams['attributes'][$facetname])) {
@@ -1340,7 +1340,7 @@ $(document).ready(function() {
 					if(is_string($av) && ($av == '__notset__')) {
 						$tmp = explode('_', $an);
 						if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
-							$dispname = $attrdef->getName();
+							$dispname = htmlspecialchars($attrdef->getName());
 							unset($allparams['attributes'][$an]);
 							$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
 							$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' is not set', 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
@@ -1368,7 +1368,7 @@ $(document).ready(function() {
 					if(substr($facetname, 0, 5) == 'attr_') {
 						$tmp = explode('_', $facetname);
 						if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
-							$dispname = $attrdef->getName();
+							$dispname = htmlspecialchars($attrdef->getName());
 							switch($attrdef->getType()) {
 							case SeedDMS_Core_AttributeDefinition::type_int:
 							case SeedDMS_Core_AttributeDefinition::type_float: