fix: [security] XSS in the user homepage favourite button

- navigating to a url in MISP with the URL containing a javascript payload would cause the execution of reflected xss - automatically sanitised by modern browsers, but still confirmed via raw curl fetches
MISP · Jan 19, 2021 · 8283e0f · 8283e0f
1 parent 829c319
commit 8283e0f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/View/Elements/global_menu.ctp b/app/View/Elements/global_menu.ctp
@@ -464,7 +464,7 @@
                     (!empty($homepage['path']) && $homepage['path'] === $this->here) ? 'orange' : '',
 		    __('Set the current page as your home page in MISP'),
 		    __('Set the current page as your home page in MISP'),
-                    $this->here
+                    h($this->here)
                 )
             ),
             array(