Using HTML <img> tag when render icon_url (#1119)

* Using HTML `<img>` tag when render icon_url Fix bug stored xss in icon_url Disclosure: https://huntr.dev/bounties/e7ae5152-2997-461b-a783-c942a12589c2/ * Add `htmlspecialchars` for value in function `twig_img_tag` — Convert special characters to HTML entities Using `img_tag` for render icon_url
boxbilling · Dec 3, 2021 · fc03c95 · fc03c95
1 parent f9fb8eb
commit fc03c95
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/bb-library/Box/TwigExtensions.php b/src/bb-library/Box/TwigExtensions.php
@@ -181,7 +181,7 @@ function twig_asset_url(Twig\Environment $env, $asset)
 function twig_img_tag($path, $alt = null)
 {
     $alt = is_null($alt) ? pathinfo($path, PATHINFO_BASENAME) : $alt;
-    return sprintf('<img src="%s" alt="%s" title="%s"/>', $path, $alt, $alt);
+    return sprintf('<img src="%s" alt="%s" title="%s"/>', htmlspecialchars($path), htmlspecialchars($alt), htmlspecialchars($alt));
 }
 
 function twig_script_tag($path)