From 26663efcb0b67e421e4ecccad8f19e7106bb03ce Mon Sep 17 00:00:00 2001
From: Thorsten Rinne <thorsten@phpmyfaq.de>
Date: Wed, 25 Jan 2023 07:48:41 +0100
Subject: [PATCH] fix: added missing escaping of newly added values

---
 phpmyfaq/admin/instances.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/phpmyfaq/admin/instances.php b/phpmyfaq/admin/instances.php
index a4fd8b3fae..a2374dfa57 100644
--- a/phpmyfaq/admin/instances.php
+++ b/phpmyfaq/admin/instances.php
@@ -243,6 +243,10 @@ class="btn btn-danger pmf-instance-delete"
         const admin = $('#admin').val();
         const password = $('#password').val();
 
+        const escape = (unsafe) => {
+          return unsafe.replaceAll('&', '&amp;').replaceAll('<', '&lt;').replaceAll('>', '&gt;').replaceAll('"', '&quot;').replaceAll("'", '&#039;');
+        }
+
         $.ajax({
           url: 'index.php',
           type: 'GET',
@@ -256,8 +260,8 @@ class="btn btn-danger pmf-instance-delete"
               '<tr id="row-instance-' + data.added + '">' +
               '<td>' + data.added + '</td>' +
               '<td><a href="' + data.url + '">' + data.url + '</a></td>' +
-              '<td>' + instance + '</td>' +
-              '<td>' + comment + '</td>' +
+              '<td>' + escape(instance) + '</td>' +
+              '<td>' + escape(comment) + '</td>' +
               '<td>' +
               '<a href="?action=editinstance&instance_id=' + data.added +
               '" class="btn btn-info"><i aria-hidden="true" class="fa fa-pencil"></i></a>' +