From 7f0f921de74c88038826c46bbd2a123518d9d611 Mon Sep 17 00:00:00 2001 From: Thorsten Rinne Date: Fri, 10 Mar 2023 07:24:18 +0100 Subject: [PATCH] fix: added missing conversion to HTML entities --- phpmyfaq/admin/stopwords.php | 21 ++++++++++++++++++--- phpmyfaq/src/phpMyFAQ/Stopwords.php | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/phpmyfaq/admin/stopwords.php b/phpmyfaq/admin/stopwords.php index e5c99ba9e9..889cba3e50 100644 --- a/phpmyfaq/admin/stopwords.php +++ b/phpmyfaq/admin/stopwords.php @@ -106,10 +106,10 @@ function buildStopWordsHTML(data) { } // id attribute is of the format stopword__ - elem_id = buildStopWordInputElemId(data[i].id, data[i].lang); + elem_id = buildStopWordInputElemId(data[i].id, escape(data[i].lang)); html += ''; - html += buildStopWordInputElement(elem_id, data[i].stopword); + html += buildStopWordInputElement(elem_id, escape(data[i].stopword)); html += ''; if (i % maxCols === maxCols - 1) { @@ -136,7 +136,7 @@ function buildStopWordInputElement(elementId, stopword) { elementId = elementId || buildStopWordInputElemId(); stopword = stopword || ''; const attrs = 'onblur="saveStopWord(this.id)" onkeydown="saveStopWordHandleEnter(this.id, event)" onfocus="saveOldValue(this.id)"'; - return ''; + return ''; } /** @@ -286,6 +286,21 @@ function() { ); } } + + const escape = (text) => { + const map = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + }; + + return text.replace(/[&<>"']/g, (mapped) => { + return map[mapped]; + }); + }; + diff --git a/phpmyfaq/src/phpMyFAQ/Stopwords.php b/phpmyfaq/src/phpMyFAQ/Stopwords.php index c35f4fc39c..4ef229f13c 100644 --- a/phpmyfaq/src/phpMyFAQ/Stopwords.php +++ b/phpmyfaq/src/phpMyFAQ/Stopwords.php @@ -192,7 +192,7 @@ public function getByLang($lang = null, $wordsOnly = false): array if ($wordsOnly) { while (($row = $this->config->getDb()->fetchObject($result)) == true) { - $stopWords[] = $row->stopword; + $stopWords[] = Strings::htmlentities($row->stopword); } } else { return $this->config->getDb()->fetchAll($result);