Merge branch 'fix-graph-xss' into 'v1.1.x'

Fix an XSS in the result graph See merge request framasoft/framadate/framadate!493
2021-10-18 14:12:34 +00:00 · 2021-10-18 14:12:34 +00:00 · 6e40f1cf02
parent e0028dc813 02229c671b
commit 6e40f1cf02
2 changed files with 5 additions and 1 deletions
--- a/app/inc/smarty.php
+++ b/app/inc/smarty.php
@ -73,6 +73,10 @@ function smarty_modifier_addslashes_single_quote($string) {
    return addcslashes($string, '\\\'');
 }

+function smarty_modifier_addslashes($string) {
+    return addslashes($string);
+}
+
 function smarty_modifier_html($html) {
    return Utils::htmlEscape($html);
 }
--- a/tpl/part/vote_table_classic.tpl
+++ b/tpl/part/vote_table_classic.tpl
@ -282,7 +282,7 @@
                });
                var cols = [
                {foreach $slots as $id=>$slot}
-                    $('<div/>').html('{$slot->title|markdown:true}').text(),
+                    "{$slot->title|markdown:true|addslashes}",
                {/foreach}
                ];