State selector: fix XSS vulnarability

Escape id_state value before rendering it to form javascript Related to thirtybees#774
eschiendorfer · Mar 23, 2022 · eae49f0 · eae49f0
1 parent ca1a05c
commit eae49f0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/admin-dev/themes/default/template/helpers/form/form.tpl b/admin-dev/themes/default/template/helpers/form/form.tpl
@@ -1036,7 +1036,7 @@
 			{if isset($fields_value.id_state)}
 				if ($('#id_country') && $('#id_state'))
 				{
-					ajaxStates({$fields_value.id_state});
+					ajaxStates({$fields_value.id_state|intval});
 					$('#id_country').change(function() {
 						ajaxStates();
 					});