From 79a5757e476244d91df14a653d898d4467db787f Mon Sep 17 00:00:00 2001
From: Bernhard Rusch <bernhard.rusch@elements.at>
Date: Thu, 26 Aug 2021 00:24:53 +0200
Subject: [PATCH] [Asset] Custom Metadata: properly escape values in grid

---
 .../Resources/public/js/pimcore/asset/metadata/tags/date.js    | 3 ++-
 .../public/js/pimcore/asset/metadata/tags/manyToOneRelation.js | 2 +-
 .../public/js/pimcore/asset/metadata/tags/textarea.js          | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/date.js b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/date.js
index 1892300d54f..3d7249c6e81 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/date.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/date.js
@@ -113,7 +113,8 @@ pimcore.asset.metadata.tags.date = Class.create(pimcore.asset.metadata.tags.abst
             }
             return Ext.Date.format(value, "Y-m-d");
         }
-        return value;
+
+        return Ext.util.Format.htmlEncode(value);
     },
 
     marshal: function(value) {
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/manyToOneRelation.js b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/manyToOneRelation.js
index ccfbf1a93be..78b748e2e4a 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/manyToOneRelation.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/manyToOneRelation.js
@@ -251,7 +251,7 @@ pimcore.asset.metadata.tags.manyToOneRelation = Class.create(pimcore.asset.metad
 
     getGridCellRenderer: function(value, metaData, record, rowIndex, colIndex, store) {
         if (value) {
-            value =  nl2br(value);
+            value =  nl2br(Ext.util.Format.htmlEncode(value));
         } else {
             value =  "";
         }
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/textarea.js b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/textarea.js
index 0a38a2cee51..e65497d301b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/textarea.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/asset/metadata/tags/textarea.js
@@ -107,7 +107,7 @@ pimcore.asset.metadata.tags.textarea = Class.create(pimcore.asset.metadata.tags.
 
     getGridCellRenderer: function(value, metaData, record, rowIndex, colIndex, store) {
         if (value) {
-            return nl2br(value);
+            return nl2br(Ext.util.Format.htmlEncode(value));
         } else {
             return "";
         }