fix: [security] Stored XSS when forking a galaxy cluster

As reported by Giuseppe Diego Gianni
MISP · Jul 26, 2021 · 78edbbc · 78edbbc
1 parent a2f18fd
commit 78edbbc
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/View/GalaxyClusters/add.ctp b/app/View/GalaxyClusters/add.ctp
@@ -5,7 +5,7 @@
     if (isset($forkedClusterMeta)) {
         foreach ($forkedClusterMeta as $key => $value) {
             if (is_array($value)) {
-                $forkedClusterHtmlPreview .= sprintf('<div><b>%s: </b><div data-toggle="json" class="large-left-margin">%s</div></div>', h($key), json_encode($value));
+                $forkedClusterHtmlPreview .= sprintf('<div><b>%s: </b><div data-toggle="json" class="large-left-margin">%s</div></div>', h($key), json_encode(h($value)));
             } else {
                 $forkedClusterHtmlPreview .= sprintf('<div><b>%s: </b>%s</div>', h($key), h($value));
             }