From dcad6626013cb000a94d77d07cd3933822424f4f Mon Sep 17 00:00:00 2001
From: Michael J Rubinsky <mrubinsk@horde.org>
Date: Tue, 25 Sep 2018 12:12:35 -0400
Subject: [PATCH] Bug: 14857

Escape user supplied color data, preventing XSS vuln.
---
 lib/View/Sidebar.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/View/Sidebar.php b/lib/View/Sidebar.php
index 6188b8e2..9baadc3b 100644
--- a/lib/View/Sidebar.php
+++ b/lib/View/Sidebar.php
@@ -221,7 +221,7 @@ public function addRow(array $row, $container = '')
             if (strlen($row['style'])) {
                 $row['style'] .= ';';
             }
-            $row['style'] .= 'background-color:' . $row['color']
+            $row['style'] .= 'background-color:' . htmlspecialchars($row['color'])
                 . ';color:#' . $foreground;
             if (isset($row['edit'])) {
                 $row['editLink'] = $row['edit']