refs #3813 escape html title attribute to avoid possible XSS

matomo-org · Apr 20, 2013 · ab74f93 · ab74f93
1 parent 25a5ac6
commit ab74f93
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/plugins/CoreHome/templates/datatable_cell.tpl b/plugins/CoreHome/templates/datatable_cell.tpl
@@ -10,7 +10,7 @@
     {logoHtml metadata=$row.metadata alt=$row.columns.label}
     {if !empty($row.metadata.html_label_prefix)}<span class='label-prefix'>{$row.metadata.html_label_prefix}</span>{/if}
     <span class='label{if !empty($row.metadata.is_aggregate) && $row.metadata.is_aggregate } highlighted{/if}'
-          {if !empty($properties.tooltip_metadata_name)}title="{$row.metadata[$properties.tooltip_metadata_name]}"{/if}>{* make sure there are no whitespaces inside the span
+          {if !empty($properties.tooltip_metadata_name)}title="{$row.metadata[$properties.tooltip_metadata_name]|escape:'html'}"{/if}>{* make sure there are no whitespaces inside the span
 *}{if !empty($row.metadata.html_label_suffix)}<span class='label-suffix'>{$row.metadata.html_label_suffix}</span>{/if}
         {/if}{*
 *}{if isset($row.columns[$column])}{$row.columns[$column]}{else}{$defaultWhenColumnValueNotDefined}{/if}{*