From e786fd44aac46febdbf916ed6c328fbe645d80bf Mon Sep 17 00:00:00 2001
From: JiaJia Ji <kingjia90@gmail.com>
Date: Wed, 2 Mar 2022 21:15:07 +0100
Subject: [PATCH] escaping 'key' custom property field in elements

---
 .../Resources/public/js/pimcore/element/properties.js        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js b/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
index 16466f0a5ad..0517e3163ee 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/element/properties.js
@@ -568,10 +568,11 @@ pimcore.element.properties = Class.create({
 
     addSetFromUserDefined: function (customKey, customType) {
         try {
-            if (in_array(customKey.getValue(), this.disallowedKeys)) {
+            let key = htmlspecialchars(customKey.getValue());
+            if (in_array(key, this.disallowedKeys)) {
                 Ext.MessageBox.alert(t("error"), t("name_is_not_allowed"));
             }
-            this.add(customKey.getValue(), customType.getValue(), false, false, false, true);
+            this.add(key, customType.getValue(), false, false, false, true);
         } catch (e) {
             console.log(e);
         }