From bea7497f8435b8980d99ec6d49d9e86c206afe29 Mon Sep 17 00:00:00 2001
From: Axel Guckelsberger <info@guite.de>
Date: Sun, 19 Sep 2021 00:10:03 +0200
Subject: [PATCH] sanitize context menu in admin category list

---
 src/system/CategoriesModule/Controller/CategoryController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/system/CategoriesModule/Controller/CategoryController.php b/src/system/CategoriesModule/Controller/CategoryController.php
index 281d95565e..4f72e2f800 100644
--- a/src/system/CategoriesModule/Controller/CategoryController.php
+++ b/src/system/CategoriesModule/Controller/CategoryController.php
@@ -98,7 +98,7 @@ private function getNodeOptions(Request $request): array
                 }
                 $class = !empty($classes) ? ' class="' . implode(' ', $classes) . '"' : '';
 
-                return '<a' . $class . $title . ' href="#">' . $displayName . '</a>';
+                return '<a' . $class . $title . ' href="#">' . htmlspecialchars($displayName) . '</a>';
             }
         ];
     }
@@ -115,6 +115,6 @@ private function createTitleAttribute(array $node, string $displayName, string $
         $title[] = $this->trans('Leaf') . ': ' . ($node['leaf'] ? 'Yes' : 'No');
         $title[] = $this->trans('Locked') . ': ' . ($node['locked'] ? 'Yes' : 'No');
 
-        return implode('<br />', $title);
+        return htmlspecialchars(implode('<br />', $title));
     }
 }