From 0e4bce955f5c83f9667385a7acaa821ba8b73833 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Sun, 2 Jan 2022 07:52:06 +0100
Subject: [PATCH]  XSS possible within profile fields that contains urls #1144

---
 adm_program/system/classes/ProfileFields.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/adm_program/system/classes/ProfileFields.php b/adm_program/system/classes/ProfileFields.php
index 59ae3db532..aef8c292c4 100644
--- a/adm_program/system/classes/ProfileFields.php
+++ b/adm_program/system/classes/ProfileFields.php
@@ -168,6 +168,7 @@ public function getHtmlValue($fieldNameIntern, $value, $value2 = null)
         if ($value != '')
         {
             // create html for each field type
+            $value = SecurityUtils::encodeHTML(StringUtils::strStripTags($value));
             $htmlValue = $value;
 
             $usfType = $this->mProfileFields[$fieldNameIntern]->getValue('usf_type');