Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] genericForm reflected XSS in form descriptions for us…
…er controlled descriptions

- accessible via the MISP local tool setting change
- sanitise the description

- as reported by Dawid Czarnecki from Zigrin Security
  • Loading branch information
iglocska committed Feb 3, 2022
1 parent 5fbd538 commit e60d97c
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions templates/element/genericElements/Form/genericForm.php
Expand Up @@ -106,7 +106,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'<div class="pb-2 fw-light">%s</div>',
$data['description']
h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
Expand All @@ -131,7 +131,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'<div class="pb-2">%s</div>',
$data['description']
h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
Expand All @@ -157,7 +157,7 @@
$ajaxFlashMessage,
empty($data['description']) ? '' : sprintf(
'<div class="pb-3 fw-light">%s</div>',
$data['description']
h($data['description'])
),
sprintf('<div class="panel">%s</div>', $fieldsString),
empty($metaTemplateString) ? '' : $this->element(
Expand Down

0 comments on commit e60d97c

Please sign in to comment.