use htmlspecialchars() in getAttributeValue() for user/group name

2025-06-18 02:59:27 +00:00 · 2021-02-06 18:01:26 +01:00 · 2021-02-06 18:01:26 +01:00 · e7b40e21f3
commit e7b40e21f3
parent 0d6fe3e238
1 changed files with 2 additions and 2 deletions
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@ -1528,7 +1528,7 @@ $(document).ready(function() {
 			$tmp = array();
 			foreach($attrs as $attr) {
 				$curuser = $dms->getUser((int) $attr);
-				$tmp[] = $curuser->getFullname()." (".$curuser->getLogin().")";
+				$tmp[] = htmlspecialchars($curuser->getFullname()." (".$curuser->getLogin().")");
 			}
 			return implode('<br />', $tmp);
 			break;
@ -1537,7 +1537,7 @@ $(document).ready(function() {
 			$tmp = array();
 			foreach($attrs as $attr) {
 				$curgroup = $dms->getGroup((int) $attr);
-				$tmp[] = $curgroup->getName();
+				$tmp[] = htmlspecialchars($curgroup->getName());
 			}
 			return implode('<br />', $tmp);
 			break;