From 0508c491c6a4f3d119ec8dcf444e52ff25028c36 Mon Sep 17 00:00:00 2001
From: Divesh Pahuja <divesh.pahuja@pimcore.com>
Date: Tue, 13 Sep 2022 14:00:58 +0200
Subject: [PATCH] [Admin] escape values on UI (#13129)

* [Admin] Escape values on UI - Properties

* [Admin] Escape values on UI - Notifications

* [Admin] Escape values on UI - Notifications
---
 .../Resources/public/js/pimcore/element/properties.js     | 2 +-
 .../Resources/public/js/pimcore/notification/helper.js    | 8 ++++----
 .../Resources/public/js/pimcore/notification/panel.js     | 3 ++-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js b/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
index fc06ee0d432..461a0f13e6b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
@@ -439,7 +439,7 @@ pimcore.element.properties = Class.create({
 
     getTypeRenderer: function (value, metaData, record, rowIndex, colIndex, store) {
 
-        return '<div class="pimcore_icon_' + value + '" name="' + record.data.name + '">&nbsp;</div>';
+        return '<div class="pimcore_icon_' + value + '" name="' + Ext.util.Format.htmlEncode(record.data.name) + '">&nbsp;</div>';
     },
 
     getCellRenderer: function (value, metaData, record, rowIndex, colIndex, store) {
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/notification/helper.js b/bundles/AdminBundle/Resources/public/js/pimcore/notification/helper.js
index dc2654f8ddc..ed62175193b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/notification/helper.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/notification/helper.js
@@ -76,8 +76,8 @@ pimcore.notification.helper.showNotifications = function (notifications) {
         });
         var notification = Ext.create('Ext.window.Toast', {
             iconCls: 'pimcore_icon_' + row.type,
-            title: row.title,
-            html: row.message,
+            title: Ext.util.Format.htmlEncode(row.title),
+            html: Ext.util.Format.htmlEncode(row.message),
             autoShow: true,
             width: 400,
             height: 150,
@@ -136,8 +136,8 @@ pimcore.notification.helper.openDetailsWindow = function (id, title, message, ty
     var notification = new Ext.Window({
         modal: true,
         iconCls: 'pimcore_icon_' + type,
-        title: title,
-        html: message,
+        title: Ext.util.Format.htmlEncode(title),
+        html: Ext.util.Format.htmlEncode(message),
         autoShow: true,
         width: 700,
         height: 350,
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/notification/panel.js b/bundles/AdminBundle/Resources/public/js/pimcore/notification/panel.js
index c771ae78a78..2e1e87610c3 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/notification/panel.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/notification/panel.js
@@ -79,13 +79,14 @@ pimcore.notification.panel = Class.create({
                 dataIndex: 'title',
                 renderer: function (val, metaData, record, rowIndex, colIndex, store) {
                     var read = parseInt(store.getAt(rowIndex).get("read"));
+                    val = Ext.util.Format.htmlEncode(val);
                     if (read == 0) {
                         return '<strong style="font-weight: bold;">' + val + '</strong>'; // css style need to be added
                     }
                     return val;
                 }
             },
-            {header: t("sender"), flex: 2, sortable: false, dataIndex: 'sender'},
+            {header: t("sender"), flex: 2, sortable: false, dataIndex: 'sender', renderer: Ext.util.Format.htmlEncode},
             {header: t("date"), flex: 3, sortable: true, filter: 'date', dataIndex: 'date'},
             {
                 header: t("attachment"),