fix xss attack in DefaultKeywords

2024-10-04 15:12:30 +00:00 · 2022-03-23 11:27:42 +01:00 · 2022-03-23 11:27:42 +01:00 · 6fc17be5d9
commit 6fc17be5d9
parent a7212a0708
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -9,6 +9,7 @@
 - various improvements for workflows
 - output splash message when removing, editing, adding a category or keyword
 - extensions cannot be disabled/enabled if configuration file is not writeable
+- prevent cross site scripting in views/bootstrap/class.DefaultKeywords.php

 --------------------------------------------------------------------------------
                     Changes in version 5.1.24
--- a/views/bootstrap/class.DefaultKeywords.php
+++ b/views/bootstrap/class.DefaultKeywords.php
@ -140,7 +140,7 @@ $(document).ready( function() {
 						'element'=>'input',
 						'type'=>'text',
 						'name'=>'name',
-						'value'=>$category->getName()
+						'value'=>($category ? htmlspecialchars($category->getName()) : '')
 					)
 				);
 				$this->contentContainerEnd();