fix: added missing conversion to HTML entities

thorsten · Mar 10, 2023 · 7f0f921 · 7f0f921
1 parent d773df9
commit 7f0f921
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/phpmyfaq/admin/stopwords.php b/phpmyfaq/admin/stopwords.php
@@ -106,10 +106,10 @@ function buildStopWordsHTML(data) {
             }
 
             // id attribute is of the format stopword_<id>_<lang>
-            elem_id = buildStopWordInputElemId(data[i].id, data[i].lang);
+            elem_id = buildStopWordInputElemId(data[i].id, escape(data[i].lang));
 
             html += '<td>';
-            html += buildStopWordInputElement(elem_id, data[i].stopword);
+            html += buildStopWordInputElement(elem_id, escape(data[i].stopword));
             html += '</td>';
 
             if (i % maxCols === maxCols - 1) {
@@ -136,7 +136,7 @@ function buildStopWordInputElement(elementId, stopword) {
           elementId = elementId || buildStopWordInputElemId();
           stopword = stopword || '';
           const attrs = 'onblur="saveStopWord(this.id)" onkeydown="saveStopWordHandleEnter(this.id, event)" onfocus="saveOldValue(this.id)"';
-          return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + stopword + '" ' + attrs + '>';
+          return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + escape(stopword) + '" ' + attrs + '>';
         }
 
         /**
@@ -286,6 +286,21 @@ function() {
             );
           }
         }
+
+        const escape = (text) => {
+          const map = {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#039;',
+          };
+
+          return text.replace(/[&<>"']/g, (mapped) => {
+            return map[mapped];
+          });
+        };
+
       </script>
     </div>
   </div>

diff --git a/phpmyfaq/src/phpMyFAQ/Stopwords.php b/phpmyfaq/src/phpMyFAQ/Stopwords.php
@@ -192,7 +192,7 @@ public function getByLang($lang = null, $wordsOnly = false): array
 
         if ($wordsOnly) {
             while (($row = $this->config->getDb()->fetchObject($result)) == true) {
-                $stopWords[] = $row->stopword;
+                $stopWords[] = Strings::htmlentities($row->stopword);
             }
         } else {
             return $this->config->getDb()->fetchAll($result);