From fc03c95f8309a19155279e33b9f57a2fe4c5756e Mon Sep 17 00:00:00 2001
From: lethanhphuc <31820707+noobpk@users.noreply.github.com>
Date: Fri, 3 Dec 2021 13:26:43 +0700
Subject: [PATCH] Using HTML `<img>` tag when render icon_url (#1119)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Using HTML `<img>` tag when render icon_url
Fix bug stored xss in icon_url
Disclosure: https://huntr.dev/bounties/e7ae5152-2997-461b-a783-c942a12589c2/

* Add `htmlspecialchars` for value in function `twig_img_tag`  — Convert special characters to HTML entities
Using `img_tag` for render icon_url
---
 src/bb-library/Box/TwigExtensions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bb-library/Box/TwigExtensions.php b/src/bb-library/Box/TwigExtensions.php
index 610033e32..794241b4b 100644
--- a/src/bb-library/Box/TwigExtensions.php
+++ b/src/bb-library/Box/TwigExtensions.php
@@ -181,7 +181,7 @@ function twig_asset_url(Twig\Environment $env, $asset)
 function twig_img_tag($path, $alt = null)
 {
     $alt = is_null($alt) ? pathinfo($path, PATHINFO_BASENAME) : $alt;
-    return sprintf('<img src="%s" alt="%s" title="%s"/>', $path, $alt, $alt);
+    return sprintf('<img src="%s" alt="%s" title="%s"/>', htmlspecialchars($path), htmlspecialchars($alt), htmlspecialchars($alt));
 }
 
 function twig_script_tag($path)