pkp/pkp-lib#7378 Fix reflected XSS issues

pkp · Oct 13, 2021 · d1ced38 · d1ced38
1 parent 3014428
commit d1ced38
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/templates/controllers/grid/settings/series/form/seriesForm.tpl b/templates/controllers/grid/settings/series/form/seriesForm.tpl
@@ -83,15 +83,15 @@
 		{if count($availableSubeditors)}
 			{fbvFormSection list=true title="submissionGroup.assignedSubEditors"}
 				{foreach from=$availableSubeditors item="subEditor" key="id"}
-					{fbvElement type="checkbox" id="subEditors[]" value=$id checked=in_array($id, $assignedToSeries) label=$subEditor translate=false}
+					{fbvElement type="checkbox" id="subEditors[]" value=$id checked=in_array($id, $assignedToSeries) label=$subEditor|escape translate=false}
 				{/foreach}
 			{/fbvFormSection}
 		{/if}
 
 		{if count($allCategories)}
 			{fbvFormSection list=true title="grid.category.categories"}
 				{foreach from=$allCategories item="category" key="id"}
-					{fbvElement type="checkbox" id="categories[]" value=$id checked=in_array($id, $selectedCategories) label=$category translate=false}
+					{fbvElement type="checkbox" id="categories[]" value=$id checked=in_array($id, $selectedCategories) label=$category|escape translate=false}
 				{/foreach}
 			{/fbvFormSection}
 		{/if}

diff --git a/templates/controllers/grid/users/chapter/form/chapterForm.tpl b/templates/controllers/grid/users/chapter/form/chapterForm.tpl
@@ -50,13 +50,13 @@
 
 	{fbvFormSection list=true title="submission.submit.addAuthor"}
 		{foreach from=$chapterAuthorOptions item="chapterAuthor" key="id"}
-			{fbvElement type="checkbox" id="authors[]" value=$id checked=in_array($id, $selectedChapterAuthors) label=$chapterAuthor translate=false}
+			{fbvElement type="checkbox" id="authors[]" value=$id checked=in_array($id, $selectedChapterAuthors) label=$chapterAuthor|escape translate=false}
 		{/foreach}
 	{/fbvFormSection}
 
 	{fbvFormSection list=true title="submission.files"}
 		{foreach from=$chapterFileOptions item="chapterFile" key="id"}
-			{fbvElement type="checkbox" id="files[]" value=$id checked=in_array($id, $selectedChapterFiles) label=$chapterFile translate=false}
+			{fbvElement type="checkbox" id="files[]" value=$id checked=in_array($id, $selectedChapterFiles) label=$chapterFile|escape translate=false}
 		{/foreach}
 	{/fbvFormSection}
 

diff --git a/templates/frontend/objects/monograph_full.tpl b/templates/frontend/objects/monograph_full.tpl
@@ -144,7 +144,7 @@
 									{capture assign="authorName"}<span class="label">{$author->getFullName()|escape}</span>{/capture}
 								{/if}
 								{capture assign="authorAffiliation"}<span class="value">{$author->getLocalizedAffiliation()|escape}</span>{/capture}
-								{translate key="submission.authorWithAffiliation" name=$authorName affiliation=$authorAffiliation}
+								{translate key="submission.authorWithAffiliation" name=$authorName|escape affiliation=$authorAffiliation|escape}
 							{else}
 								<span class="label">{$author->getFullName()|escape}</span>
 							{/if}
@@ -293,7 +293,7 @@
 									{if $author->getLocalizedAffiliation()}
 										{capture assign="authorName"}{$author->getFullName()|escape}{/capture}
 										{capture assign="authorAffiliation"}<span class="affiliation">{$author->getLocalizedAffiliation()|escape}</span>{/capture}
-										{translate key="submission.authorWithAffiliation" name=$authorName affiliation=$authorAffiliation}
+										{translate key="submission.authorWithAffiliation" name=$authorName|escape affiliation=$authorAffiliation|escape}
 									{else}
 										{$author->getFullName()|escape}
 									{/if}