From 8f82826065d899a0076e8ce8da1d8ba8c6118230 Mon Sep 17 00:00:00 2001
From: Tom Udding <tomudding@users.noreply.github.com>
Date: Fri, 29 Nov 2024 20:05:01 +0100
Subject: [PATCH] fix: potential sources of XSS through BM/GMM body
 abbreviation and name

---
 module/Decision/view/decision/organ/index.phtml   | 4 ++--
 module/Frontpage/view/frontpage/organ/organ.phtml | 2 +-
 module/Frontpage/view/partial/organ-card.phtml    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/module/Decision/view/decision/organ/index.phtml b/module/Decision/view/decision/organ/index.phtml
index 83380b2467..b00a9cf8b9 100644
--- a/module/Decision/view/decision/organ/index.phtml
+++ b/module/Decision/view/decision/organ/index.phtml
@@ -53,12 +53,12 @@ $this->headTitle($this->translate('Organ list'));
                             <tr>
                                 <td>
                                     <a style="display: block; height: 100%; width:100%" href="<?= $url ?>">
-                                        <?= $organ->getAbbr() ?>
+                                        <?= $this->escapeHtml($organ->getAbbr()) ?>
                                     </a>
                                 </td>
                                 <td>
                                     <a style="display: block; height: 100%; width:100%" href="<?= $url ?>">
-                                        <?= $organ->getName() ?>
+                                        <?= $this->escapeHtml($organ->getName()) ?>
                                     </a>
                                 </td>
                                 <td>
diff --git a/module/Frontpage/view/frontpage/organ/organ.phtml b/module/Frontpage/view/frontpage/organ/organ.phtml
index 90e8319309..c0a77c80cd 100644
--- a/module/Frontpage/view/frontpage/organ/organ.phtml
+++ b/module/Frontpage/view/frontpage/organ/organ.phtml
@@ -116,7 +116,7 @@ function getOrganDescription($organInformation, $lang)
         <?php endif ?>
         <div class="row">
             <div class="col-md-8">
-                <h1 class="h-wrap"><?= $organ->getName() ?></h1>
+                <h1 class="h-wrap"><?= $this->escapeHtml($organ->getName()) ?></h1>
                 <?php echo getOrganDescription($organInformation, $lang) ?>
             </div>
             <div class="col-md-4">
diff --git a/module/Frontpage/view/partial/organ-card.phtml b/module/Frontpage/view/partial/organ-card.phtml
index 706f380715..637eea4ddf 100644
--- a/module/Frontpage/view/partial/organ-card.phtml
+++ b/module/Frontpage/view/partial/organ-card.phtml
@@ -21,7 +21,7 @@ $organInformation = $organ->getApprovedOrganInformation()
                 <?php if (null !== $organInformation && null !== $organInformation->getThumbnailPath()): ?>
                     <img class="img-responsive" src="<?= $this->fileUrl($organInformation->getThumbnailPath()) ?>">
                 <?php endif ?>
-                <span class="card-title"><?= $organ->getAbbr() ?></span>
+                <span class="card-title"><?= $this->escapeHtml($organ->getAbbr()) ?></span>
                 <div class="card-details">
                     <?php if (null !== $organInformation): ?>
                         <?= $lang === 'en' ? $organInformation->getShortEnglishDescription() : $organInformation->getShortDutchDescription() ?>
@@ -30,7 +30,7 @@ $organInformation = $organ->getApprovedOrganInformation()
             </div><!-- card image -->
 
             <div class="card-content">
-                <span><?= $organ->getName() ?>
+                <span><?= $this->escapeHtml($organ->getName()) ?>
                     <?php if (null !== $organInformation && $this->acl('decision_service_acl')->isAllowed('organ', 'view')): ?>
                         <a href="mailto:<?= $organInformation->getEmail() ?>" class="pull-right">
                                 <span class="fas fa-envelope"></span>