fix: potential sources of XSS through BM/GMM body abbreviation and name

GEWIS · Nov 29, 2024 · 8f82826 · 8f82826
1 parent 84e73b0
commit 8f82826
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/module/Decision/view/decision/organ/index.phtml b/module/Decision/view/decision/organ/index.phtml
@@ -53,12 +53,12 @@ $this->headTitle($this->translate('Organ list'));
                             <tr>
                                 <td>
                                     <a style="display: block; height: 100%; width:100%" href="<?= $url ?>">
-                                        <?= $organ->getAbbr() ?>
+                                        <?= $this->escapeHtml($organ->getAbbr()) ?>
                                     </a>
                                 </td>
                                 <td>
                                     <a style="display: block; height: 100%; width:100%" href="<?= $url ?>">
-                                        <?= $organ->getName() ?>
+                                        <?= $this->escapeHtml($organ->getName()) ?>
                                     </a>
                                 </td>
                                 <td>

diff --git a/module/Frontpage/view/frontpage/organ/organ.phtml b/module/Frontpage/view/frontpage/organ/organ.phtml
@@ -116,7 +116,7 @@ function getOrganDescription($organInformation, $lang)
         <?php endif ?>
         <div class="row">
             <div class="col-md-8">
-                <h1 class="h-wrap"><?= $organ->getName() ?></h1>
+                <h1 class="h-wrap"><?= $this->escapeHtml($organ->getName()) ?></h1>
                 <?php echo getOrganDescription($organInformation, $lang) ?>
             </div>
             <div class="col-md-4">

diff --git a/module/Frontpage/view/partial/organ-card.phtml b/module/Frontpage/view/partial/organ-card.phtml
@@ -21,7 +21,7 @@ $organInformation = $organ->getApprovedOrganInformation()
                 <?php if (null !== $organInformation && null !== $organInformation->getThumbnailPath()): ?>
                     <img class="img-responsive" src="<?= $this->fileUrl($organInformation->getThumbnailPath()) ?>">
                 <?php endif ?>
-                <span class="card-title"><?= $organ->getAbbr() ?></span>
+                <span class="card-title"><?= $this->escapeHtml($organ->getAbbr()) ?></span>
                 <div class="card-details">
                     <?php if (null !== $organInformation): ?>
                         <?= $lang === 'en' ? $organInformation->getShortEnglishDescription() : $organInformation->getShortDutchDescription() ?>
@@ -30,7 +30,7 @@ $organInformation = $organ->getApprovedOrganInformation()
             </div><!-- card image -->
 
             <div class="card-content">
-                <span><?= $organ->getName() ?>
+                <span><?= $this->escapeHtml($organ->getName()) ?>
                     <?php if (null !== $organInformation && $this->acl('decision_service_acl')->isAllowed('organ', 'view')): ?>
                         <a href="mailto:<?= $organInformation->getEmail() ?>" class="pull-right">
                                 <span class="fas fa-envelope"></span>