From ce676eb9e9d8cb7864f36ee124e838b1ad15415f Mon Sep 17 00:00:00 2001
From: Thorsten Rinne <thorsten@phpmyfaq.de>
Date: Fri, 27 Jan 2023 07:29:22 +0100
Subject: [PATCH] fix: added missing conversion to HTML entities

---
 phpmyfaq/admin/report.view.php   | 11 ++++++-----
 phpmyfaq/src/phpMyFAQ/Report.php |  4 +---
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/phpmyfaq/admin/report.view.php b/phpmyfaq/admin/report.view.php
index 23c3d025c9..f0f0b9be4d 100644
--- a/phpmyfaq/admin/report.view.php
+++ b/phpmyfaq/admin/report.view.php
@@ -20,6 +20,7 @@
 
 use phpMyFAQ\Filter;
 use phpMyFAQ\Report;
+use phpMyFAQ\Strings;
 
 if (!defined('IS_VALID_PHPMYFAQ')) {
     http_response_code(400);
@@ -80,12 +81,12 @@
             if (0 != $data['category_parent']) {
                 printf('<td>%s</td>', $data['category_parent']);
             } else {
-                printf('<td>%s</td>', $data['category_name']);
+                printf('<td>%s</td>', Strings::htmlentities($data['category_name'] ?? ''));
             }
         }
         if ($useSubcategory) {
             if (0 != $data['category_parent']) {
-                printf('<td>%s</td>', $data['category_name']);
+                printf('<td>%s</td>', Strings::htmlentities($data['category_name']));
             } else {
                 echo '<td>n/a</td>';
             }
@@ -103,16 +104,16 @@
             printf('<td>%s</td>', $data['faq_sticky']);
         }
         if ($useTitle) {
-            printf('<td>%s</td>', $data['faq_question']);
+            printf('<td>%s</td>', Strings::htmlentities($data['faq_question']));
         }
         if ($useCreationDate) {
             printf('<td>%s</td>', $data['faq_updated']);
         }
         if ($useOwner) {
-            printf('<td>%s</td>', $data['faq_org_author']);
+            printf('<td>%s</td>', Strings::htmlentities($data['faq_org_author']));
         }
         if ($useLastModified) {
-            printf('<td>%s</td>', $data['faq_last_author']);
+            printf('<td>%s</td>', Strings::htmlentities($data['faq_last_author'] ?? ''));
         }
         if ($useUrl) {
             $url = sprintf(
diff --git a/phpmyfaq/src/phpMyFAQ/Report.php b/phpmyfaq/src/phpMyFAQ/Report.php
index 555a123810..7b2df0823a 100644
--- a/phpmyfaq/src/phpMyFAQ/Report.php
+++ b/phpmyfaq/src/phpMyFAQ/Report.php
@@ -145,8 +145,6 @@ public function convertEncoding(string $outputString = ''): string
         }
 
         $toBeRemoved = ['=', '+', '-', 'HYPERLINK'];
-        $outputString = str_replace($toBeRemoved, '', $outputString);
-
-        return $outputString;
+        return str_replace($toBeRemoved, '', $outputString);
     }
 }