Skip to content

Commit

Permalink
fixed xss in timesheet description (#962)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevinpapst
kevinpapst committed Jul 14, 2019
1 parent e68b7da commit a0e8aa3
Show file tree
Hide file tree
Showing 7 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion src/Twig/MarkdownExtension.php
View file
Expand Up @@ -77,6 +77,6 @@ public function timesheetContent($content): string
*/
public function markdownToHtml(string $content): string
{
return $this->markdown->toHtml($content, true);
return $this->markdown->toHtml($content, false);
}
}
2 changes: 1 addition & 1 deletion templates/export/renderer/default.html.twig
View file
Expand Up @@ -276,7 +276,7 @@
</td>
<td class="column-description" {% if not columns.description %}style="display: none"{% endif %}>
{% if entry.description is not empty %}
{{ entry.description|desc2html }}
{{ entry.description|escape|desc2html }}
{% endif %}
</td>
<td class="column-exported" {% if not columns.exported %}style="display: none"{% endif %}>
Expand Down
2 changes: 1 addition & 1 deletion templates/export/renderer/pdf.html.twig
View file
Expand Up @@ -151,7 +151,7 @@ mpdf-->
{{ entry.project.customer.name }} - {{ entry.project.name }} - {{ entry.activity.name }}
{% if entry.description is not empty %}
<br>
<i>{{ entry.description|desc2html }}</i>
<i>{{ entry.description|escape|desc2html }}</i>
{% endif %}
</td>
<td class="duration">{{ entry.duration|duration }}</td>
Expand Down
2 changes: 1 addition & 1 deletion templates/invoice/index.html.twig
View file
Expand Up @@ -56,7 +56,7 @@
<td class="{{ tables.data_table_column_class(tableName, columns, 'user') }}">{{ widgets.label_user(entry.user) }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'description') }} timesheet-description">
{% if entry.description is not empty %}
{{ entry.description|desc2html }}
{{ entry.description|escape|desc2html }}
{% else %}
{{ entry.activity.name }} / {{ entry.project.name }}
{% endif %}
Expand Down
2 changes: 1 addition & 1 deletion templates/timesheet-team/export.html.twig
View file
Expand Up @@ -49,7 +49,7 @@
<td>
{% if entry.description is not empty %}
<div>
{{ entry.description|desc2html }}
{{ entry.description|escape|desc2html }}
</div>
{% endif %}
<span class="small">
Expand Down
2 changes: 1 addition & 1 deletion templates/timesheet/export.html.twig
View file
Expand Up @@ -41,7 +41,7 @@
<td>
{% if entry.description is not empty %}
<div>
{{ entry.description|desc2html }}
{{ entry.description|escape|desc2html }}
</div>
{% endif %}
<span class="small">
Expand Down
2 changes: 1 addition & 1 deletion templates/timesheet/index.html.twig
View file
Expand Up @@ -95,7 +95,7 @@
<td class="{{ tables.data_table_column_class(tableName, columns, 'customer') }}">{{ widgets.label_customer(entry.project.customer) }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'project') }}">{{ widgets.label_project(entry.project) }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'activity') }}">{{ widgets.label_activity(entry.activity) }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'description') }} timesheet-description">{{ entry.description|desc2html }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'description') }} timesheet-description">{{ entry.description|escape|desc2html }}</td>
<td class="{{ tables.data_table_column_class(tableName, columns, 'tags') }}">{{ widgets.tag_list(entry.tags) }}</td>
<td class="actions">
{{- actions.timesheet(entry, 'index') -}}
Expand Down

0 comments on commit a0e8aa3

Please sign in to comment.