Merge pull request #3038 from acrobat/xss-fixes

[AllBundles] Escape user input to avoid xss issues
Kunstmaan · Nov 22, 2021 · b58d64a · b58d64a
2 parents e9e82ee + 8b5578e
commit b58d64a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js b/src/Kunstmaan/AdminBundle/Resources/ui/js/_slug-chooser.js
@@ -47,7 +47,8 @@ kunstmaanbundles.slugChooser = (function(window, undefined) {
             return;
         }
 
-        $preview.find('span').html(updatedUrl);
+        // Use jquery .text to escape user input value to avoid potential xss
+        $preview.find('span').text(updatedUrl);
         $preview.show();
     };
 

diff --git a/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig b/src/Kunstmaan/SeoBundle/Resources/views/SeoTwigExtension/metadata.html.twig
@@ -110,5 +110,5 @@
 {% endif %}
 
 {% if seo.getExtraMetadata() %}
-    {{ seo.getExtraMetadata() | raw }}
+    {{ seo.getExtraMetadata()|escape('html')|raw }}
 {% endif %}