From a743d8a2f9a2ec24120e80ab37b2b699bcfc2694 Mon Sep 17 00:00:00 2001
From: Greg Roach <greg@subaqua.co.uk>
Date: Wed, 15 Sep 2021 22:48:49 +0100
Subject: [PATCH] Fix: XSS vulnerability in some module titles

---
 app/Module/HtmlBlockModule.php    | 2 +-
 app/Module/UserWelcomeModule.php  | 4 ++--
 app/Module/WelcomeBlockModule.php | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/Module/HtmlBlockModule.php b/app/Module/HtmlBlockModule.php
index 1c7e648b055..06126a3aced 100644
--- a/app/Module/HtmlBlockModule.php
+++ b/app/Module/HtmlBlockModule.php
@@ -108,7 +108,7 @@ public function getBlock(Tree $tree, int $block_id, string $context, array $conf
                 'block'      => Str::kebab($this->name()),
                 'id'         => $block_id,
                 'config_url' => $this->configUrl($tree, $context, $block_id),
-                'title'      => $title,
+                'title'      => e($title),
                 'content'    => $content,
             ]);
         }
diff --git a/app/Module/UserWelcomeModule.php b/app/Module/UserWelcomeModule.php
index e123c122f08..a2f0886f372 100644
--- a/app/Module/UserWelcomeModule.php
+++ b/app/Module/UserWelcomeModule.php
@@ -117,7 +117,7 @@ public function getBlock(Tree $tree, int $block_id, string $context, array $conf
         ];
         $content = view('modules/user_welcome/welcome', ['links' => $links]);
 
-        $real_name = '<bdi>' . e(Auth::user()->realName()) . '</bdi>';
+        $real_name = "\u{2068}" . e(Auth::user()->realName()) . "\u{2069}";
 
         /* I18N: A %s is the user’s name */
         $title = I18N::translate('Welcome %s', $real_name);
@@ -127,7 +127,7 @@ public function getBlock(Tree $tree, int $block_id, string $context, array $conf
                 'block'      => Str::kebab($this->name()),
                 'id'         => $block_id,
                 'config_url' => '',
-                'title'      => $title,
+                'title'      => e($title),
                 'content'    => $content,
             ]);
         }
diff --git a/app/Module/WelcomeBlockModule.php b/app/Module/WelcomeBlockModule.php
index 8fc809d47df..3419cbd7cf2 100644
--- a/app/Module/WelcomeBlockModule.php
+++ b/app/Module/WelcomeBlockModule.php
@@ -123,7 +123,7 @@ public function getBlock(Tree $tree, int $block_id, string $context, array $conf
                 'block'      => Str::kebab($this->name()),
                 'id'         => $block_id,
                 'config_url' => '',
-                'title'      => $individual->tree()->title(),
+                'title'      => e($individual->tree()->title()),
                 'content'    => $content,
             ]);
         }