XSS possible within profile fields that contains urls #1144

Admidio · Jan 2, 2022 · 0e4bce9 · 0e4bce9
1 parent 0b174b8
commit 0e4bce9
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/adm_program/system/classes/ProfileFields.php b/adm_program/system/classes/ProfileFields.php
@@ -168,6 +168,7 @@ public function getHtmlValue($fieldNameIntern, $value, $value2 = null)
         if ($value != '')
         {
             // create html for each field type
+            $value = SecurityUtils::encodeHTML(StringUtils::strStripTags($value));
             $htmlValue = $value;
 
             $usfType = $this->mProfileFields[$fieldNameIntern]->getValue('usf_type');