fixed xss on login page (#14975)

pimcore · Apr 20, 2023 · 66f1089 · 66f1089
1 parent 3b50ac0
commit 66f1089
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/bundles/AdminBundle/Controller/Admin/LoginController.php b/bundles/AdminBundle/Controller/Admin/LoginController.php
@@ -29,6 +29,7 @@
 use Pimcore\Http\ResponseHelper;
 use Pimcore\Logger;
 use Pimcore\Model\User;
+use Pimcore\Security\SecurityHelper;
 use Pimcore\Tool;
 use Pimcore\Tool\Authentication;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -114,7 +115,7 @@ public function loginAction(Request $request, CsrfProtectionHandler $csrfProtect
         $params['csrfTokenRefreshInterval'] = ((int)$session_gc_maxlifetime - 60) * 1000;
 
         if ($request->get('too_many_attempts')) {
-            $params['error'] = $request->get('too_many_attempts');
+            $params['error'] = SecurityHelper::convertHtmlSpecialChars($request->get('too_many_attempts'));
         }
         if ($request->get('auth_failed')) {
             $params['error'] = 'error_auth_failed';