fix: added missing conversion to HTML entities

thorsten · Oct 4, 2023 · 5310cb8 · 5310cb8
1 parent 4dc881a
commit 5310cb8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/phpmyfaq/admin/record.edit.php b/phpmyfaq/admin/record.edit.php
@@ -484,7 +484,7 @@ class="form-control">
                                                     printf(
                                                         '<li><a href="../%s">%s</a> ',
                                                         $att->buildUrl(),
-                                                        $att->getFilename()
+                                                        Strings::htmlentities($att->getFilename())
                                                     );
                                                     if ($user->perm->hasPermission($currentUserId, 'delattachment')) {
                                                         printf(

diff --git a/phpmyfaq/src/phpMyFAQ/Helper/AttachmentHelper.php b/phpmyfaq/src/phpMyFAQ/Helper/AttachmentHelper.php
@@ -18,6 +18,7 @@
 namespace phpMyFAQ\Helper;
 
 use phpMyFAQ\Attachment\AttachmentAbstract;
+use phpMyFAQ\Strings;
 use phpMyFAQ\Translation;
 
 /**
@@ -45,7 +46,7 @@ public function renderAttachmentList(array $attachmentList): string
                 '<li><i class="fa fa-%s" aria-hidden="true"></i> <a href="%s">%s</a></li>',
                 $this->mapMimeTypeToIcon($attachment->getMimeType()),
                 $attachment->buildUrl(),
-                $attachment->getFilename()
+                Strings::htmlentities($attachment->getFilename())
             );
         }