Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix widget title injection vulnerability (#13452)
Prevent html/js code from being injected into widget titles.
  • Loading branch information
murrant committed Oct 30, 2021
1 parent 5900edb commit 99d2462
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/Http/Controllers/OverviewController.php
Expand Up @@ -103,7 +103,7 @@ public function default(Request $request)
$data = serialize(json_encode($data));
$dash_config = unserialize($data);
$hide_dashboard_editor = UserPref::getPref($user, 'hide_dashboard_editor');
$widgets = Widget::select('widget_id', 'widget_title')->orderBy('widget_title')->get();
$widgets = Widget::select(['widget_id', 'widget_title'])->orderBy('widget_title')->get();

$user_list = [];
if ($user->can('manage', User::class)) {
Expand Down
2 changes: 1 addition & 1 deletion app/Http/Controllers/Widgets/WidgetController.php
Expand Up @@ -142,7 +142,7 @@ private function formatResponse($view, $title, $settings, $status = 'ok')

return response()->json([
'status' => $status,
'title' => __($title),
'title' => htmlentities(__($title)),
'html' => $html,
'show_settings' => $show_settings,
'settings' => $settings,
Expand Down

0 comments on commit 99d2462

Please sign in to comment.