From 4f4d5d6bc0655a01698fc5c9cf798b103f392fe4 Mon Sep 17 00:00:00 2001
From: Axel Guckelsberger <info@guite.de>
Date: Tue, 18 Jan 2022 06:46:26 +0100
Subject: [PATCH] more strict output sanitizing in block placement management
 view

---
 CHANGELOG-3.0.md                                                | 1 +
 .../BlocksModule/Resources/views/Placement/edit.html.twig       | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG-3.0.md b/CHANGELOG-3.0.md
index 196940e316..9b42b7d330 100644
--- a/CHANGELOG-3.0.md
+++ b/CHANGELOG-3.0.md
@@ -7,6 +7,7 @@
 
 - Fixes:
   - [Admin] Sanitize extension title in admin panel.
+  - [Blocks] Sanitize block title and description in position placement management view.
   - [ZAuth] Generic response message in lost password functionality to avoid account enumeration.
 
 - Features:
diff --git a/src/system/BlocksModule/Resources/views/Placement/edit.html.twig b/src/system/BlocksModule/Resources/views/Placement/edit.html.twig
index 33053eb9b2..4319f80907 100644
--- a/src/system/BlocksModule/Resources/views/Placement/edit.html.twig
+++ b/src/system/BlocksModule/Resources/views/Placement/edit.html.twig
@@ -50,7 +50,7 @@
             <td headers="hAssignedDnd"><span class="fas fa-arrows-alt"></span></td>
             <td headers="hAssignedId">{{ block.bid }}</td>
             <td headers="hAssignedTitle" id="blockdrag_{{ block.bid }}">
-                {{ block.title|safeHtml|default('') }}{% if block.title and block.description %},&nbsp;{% endif %}{{ block.description|safeHtml }}
+                {{ block.title|default('') }}{% if block.title and block.description %},&nbsp;{% endif %}{{ block.description }}
             </td>
             <td headers="hAssignedModule">{{ block.module.name }}</td>
             <td headers="hAssignedType">{{ block.blocktype }}</td>