From 746fac1a342841624f63ab13edcd340358e1bc04 Mon Sep 17 00:00:00 2001
From: robertSt7 <104770750+robertSt7@users.noreply.github.com>
Date: Mon, 2 Jan 2023 15:26:25 +0100
Subject: [PATCH] Fix: X-site-scripting (#13916)

---
 models/DataObject/ClassDefinition/Service.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/models/DataObject/ClassDefinition/Service.php b/models/DataObject/ClassDefinition/Service.php
index 9b6f6918aae..68126184116 100644
--- a/models/DataObject/ClassDefinition/Service.php
+++ b/models/DataObject/ClassDefinition/Service.php
@@ -341,6 +341,11 @@ public static function importObjectBrickFromJson($objectBrick, $json, $throwExce
     public static function generateLayoutTreeFromArray($array, $throwException = false, $insideLocalizedField = false)
     {
         if (is_array($array) && count($array) > 0) {
+            if ($title = $array['title'] ?? false) {
+                if (preg_match('/<.+?>/', $title)) {
+                    throw new \Exception('not a valid title:' . htmlentities($title));
+                }
+            }
             if ($name = $array['name'] ?? false) {
                 if (preg_match('/<.+?>/', $name)) {
                     throw new \Exception('not a valid name:' . htmlentities($name));