From 093cfe158099704ffd4a1624be217f9935e914eb Mon Sep 17 00:00:00 2001
From: Nik Okuntseff <support@anuko.com>
Date: Fri, 5 May 2023 18:19:31 +0000
Subject: [PATCH] Addressed stored XSS vulnerability in week.php by escaping
 cell title.

---
 initialize.php | 2 +-
 week.php       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/initialize.php b/initialize.php
index 3b5b0fcf..ac6cd707 100644
--- a/initialize.php
+++ b/initialize.php
@@ -21,7 +21,7 @@
     die("mysqli_report function is not available."); // No point to continue as mysqli will not work.
 }
 
-define("APP_VERSION", "1.22.11.5782");
+define("APP_VERSION", "1.22.12.5783");
 define("APP_DIR", dirname(__FILE__));
 define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
 define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");
diff --git a/week.php b/week.php
index 9d96abfb..16a00dff 100644
--- a/week.php
+++ b/week.php
@@ -242,7 +242,7 @@ function render(&$table, $value, $row, $column, $selected = false) {
         $field->setValue($table->getValueAt($row,$column)['duration']); // Duration for even rows.
       } else {
         $field->setValue($table->getValueAt($row,$column)['note']);     // Comment for odd rows.
-        $field->setTitle($table->getValueAt($row,$column)['note']);     // Tooltip to help view the entire comment.
+        $field->setTitle(htmlspecialchars($table->getValueAt($row,$column)['note'])); // Tooltip to help view the entire comment.
       }
     } else {
       $field->setValue($table->getValueAt($row,$column)['duration']);