From fad5c31cf28bafb782665888763416b4c9de288c Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Fri, 8 May 2020 07:42:38 +0200
Subject: [PATCH] run workflow action name through htmlspecialchars()

---
 views/bootstrap/class.ViewDocument.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/views/bootstrap/class.ViewDocument.php b/views/bootstrap/class.ViewDocument.php
index b00a2f7d0..4c9e3e5b6 100644
--- a/views/bootstrap/class.ViewDocument.php
+++ b/views/bootstrap/class.ViewDocument.php
@@ -1081,7 +1081,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
 				echo "<td>";
 				if($latestContent->triggerWorkflowTransitionIsAllowed($user, $transition)) {
 					$action = $transition->getAction();
-					print "<form action=\"../out/out.TriggerWorkflow.php\" method=\"get\"><input type=\"hidden\" name=\"documentid\" value=\"".$latestContent->getDocument()->getId()."\" /><input type=\"hidden\" name=\"version\" value=\"".$latestContent->getVersion()."\" /><input type=\"hidden\" name=\"transition\" value=\"".$transition->getID()."\" /><input type=\"submit\" class=\"btn\" value=\"".getMLText('action_'.strtolower($action->getName()), array(), $action->getName())."\" /></form>";
+					print "<form action=\"../out/out.TriggerWorkflow.php\" method=\"get\"><input type=\"hidden\" name=\"documentid\" value=\"".$latestContent->getDocument()->getId()."\" /><input type=\"hidden\" name=\"version\" value=\"".$latestContent->getVersion()."\" /><input type=\"hidden\" name=\"transition\" value=\"".$transition->getID()."\" /><input type=\"submit\" class=\"btn\" value=\"".getMLText('action_'.strtolower($action->getName()), array(), htmlspecialchars($action->getName()))."\" /></form>";
 					$allowedtransitions[] = $transition;
 				}
 				echo "</td>";