Fix h1 report 173501

Persistent XSS --------------- The HackerOne user pavanw3b has reported that the Revive Adserver was vulnerable to a persistent XSS attack: an authenticated user could set their own email address to a specifically crafted string which was then displayed without proper escaping in the context of other users (e.g. the administrator user), giving them an opportunity to steal a session with elevated privileges. CWE-ID: CWE-79 CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 4.2 CVSSv3 Temporal Score: 3.7
revive-adserver · Jan 24, 2017 · 0b311d3fd66e7dec45e1d784af4d209a4ce18be3 · 0b311d3
1 parent b088012
commit 0b311d3fd66e7dec45e1d784af4d209a4ce18be3
Unified Split

Showing with 2 additions and 2 deletions.

+2 −2 lib/templates/admin/user-access.html
diff --git a/lib/templates/admin/user-access.html b/lib/templates/admin/user-access.html
@@ -44,10 +44,10 @@
    <tbody class="{$rowType}">
      <tr height="25" {if $user.justModified}class="hl"{/if}>
      {if $sso}
-        <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
+        <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
      {else}
        <td class="first"><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.username|escape}</a></td>
-        <td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address}</a></td>
+        <td><a href="{$editPage}?userid={$user.user_id}{if $entityIdName}&amp;{$entityIdName}={$entityIdValue}{/if}">{$user.email_address|escape}</a></td>
      {/if}
        <td>{$user.contact_name|escape}</td>
      {if $sso}