From 8b5578e46e92ec37e75cc58f7308a969de097365 Mon Sep 17 00:00:00 2001
From: Jeroen Thora <jeroenthora@gmail.com>
Date: Sun, 21 Nov 2021 14:17:18 +0100
Subject: [PATCH] [AllBundles] Escape user input to avoid xss issues

---
 src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js     | 3 ++-
 .../Resources/views/SeoTwigExtension/metadata.html.twig        | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js b/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js
index 99659a7de8..24ec5da7da 100644
--- a/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js
+++ b/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js
@@ -47,7 +47,8 @@ kunstmaanbundles.slugChooser = (function(window, undefined) {
             return;
         }
 
-        $preview.find('span').html(updatedUrl);
+        // Use jquery .text to escape user input value to avoid potential xss
+        $preview.find('span').text(updatedUrl);
         $preview.show();
     };
 
diff --git a/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig b/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig
index 6d5f44384c..602e7b073b 100644
--- a/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig
+++ b/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig
@@ -110,5 +110,5 @@
 {% endif %}
 
 {% if seo.getExtraMetadata() %}
-    {{ seo.getExtraMetadata() | raw }}
+    {{ seo.getExtraMetadata()|escape('html')|raw }}
 {% endif %}