#9306 Escape context names in form field labels

pkp · Sep 15, 2023 · d4111c4 · d4111c4
1 parent 8b26ee4
commit d4111c4
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/classes/components/forms/context/PKPRestrictBulkEmailsForm.inc.php b/classes/components/forms/context/PKPRestrictBulkEmailsForm.inc.php
@@ -38,7 +38,7 @@ public function __construct($action, $context, $userGroups) {
 		while ($userGroup = $userGroups->next()) {
 			$userGroupOptions[] = [
 				'value' => $userGroup->getId(),
-				'label' => $userGroup->getLocalizedData('name'),
+				'label' => htmlspecialchars($userGroup->getLocalizedData('name')),
 			];
 		}
 

diff --git a/classes/components/forms/site/PKPSiteBulkEmailsForm.inc.php b/classes/components/forms/site/PKPSiteBulkEmailsForm.inc.php
@@ -41,7 +41,7 @@ public function __construct($action, $site, $contexts) {
 		foreach ($contexts as $context) {
 			$options[] = [
 				'value' => $context->id,
-				'label' => $context->name,
+				'label' => htmlspecialchars($context->name),
 			];
 		}
 

diff --git a/classes/components/forms/site/PKPSiteConfigForm.inc.php b/classes/components/forms/site/PKPSiteConfigForm.inc.php
@@ -49,7 +49,7 @@ public function __construct($action, $locales, $site) {
 		foreach ($contextsIterator as $context) {
 			$options[] = [
 				'value' => $context->getId(),
-				'label' => $context->getLocalizedData('name'),
+				'label' => htmlspecialchars($context->getLocalizedData('name')),
 			];
 		}
 		if (count($options) > 1) $this->addField(new FieldSelect('redirect', [