More XSS vulnerabilities

CHANGELOG.md

@@ -18,7 +18,7 @@
 - Fixed a bug where the “Keep me signed in” checkbox label wasn’t always accurately representing the `rememberedUserSessionDuration` config setting. ([#11594](https://github.com/craftcms/cms/discussions/11594))
 
 ### Security
-- Fixed an XSS vulnerability.
+- Fixed XSS vulnerabilities.
 
 ## 4.2.0.2 - 2022-07-27
 

src/helpers/Cp.php

@@ -1620,7 +1620,7 @@ private static function _fldTabHtml(FieldLayoutTab $tab, bool $customizable): st
                     $customizable ? 'draggable' : null,
                 ]),
             ]) .
-            Html::tag('span', $tab->name) .
+            Html::tag('span', Html::encode($tab->name)) .
             ($customizable
                 ? Html::a('', null, [
                     'role' => 'button',
@@ -1722,7 +1722,7 @@ private static function _fldFieldSelectorsHtml(string $groupName, array $groupFi
                 ]),
                 'data' => ['name' => mb_strtolower($groupName)],
             ]) .
-            Html::tag('h6', $groupName) .
+            Html::tag('h6', Html::encode($groupName)) .
             implode('', array_map(fn(BaseField $field) => self::_fldElementSelectorHtml($field, true, [
                 'class' => array_filter([
                     $fieldLayout->isFieldIncluded($field->attribute()) ? 'hidden' : null,

src/templates/settings/fields/index.twig

@@ -100,7 +100,7 @@
             isMissing: fieldIsMissing,
             label: fieldIsMissing ? field.expectedType : field.displayName()
         },
-        group: group ? group.name|t('site') : "<span class=\"error\">#{'(Ungrouped)'|t('app')}</span>",
+        group: group ? group.name|t('site')|e : "<span class=\"error\">#{'(Ungrouped)'|t('app')}</span>",
     }]) %}
 {% endfor %}