From 244adf61b2c0ced0ec21be2dbbe2d89b612735ec Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Thu, 20 Mar 2025 16:20:21 +0100 Subject: [PATCH] Fix unescaped error messages (#5329) In both cases the input, which wasn't escaped before, comes from a form element that doesn't allow any user to change its content. An ordinary user would need to access the DOM in order to do that. Both forms are protected by CSRF, so this mitigates any potential exploit as well. (cherry picked from commit acfad5ae5290d349c0ca4fe10b329e56c23201a0) --- .../views/scripts/config/module-configuration-error.phtml | 2 +- .../monitoring/application/forms/Config/BackendConfigForm.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/application/views/scripts/config/module-configuration-error.phtml b/application/views/scripts/config/module-configuration-error.phtml index 85fb128f5..9d8980e03 100644 --- a/application/views/scripts/config/module-configuration-error.phtml +++ b/application/views/scripts/config/module-configuration-error.phtml @@ -6,7 +6,7 @@ tabs->render($this); ?>
-

Could not module ""

+

Could not module "escape($moduleName); ?>"

While operation the following error occurred:
diff --git a/modules/monitoring/application/forms/Config/BackendConfigForm.php b/modules/monitoring/application/forms/Config/BackendConfigForm.php index 5ed42e1db..05bc95e5b 100644 --- a/modules/monitoring/application/forms/Config/BackendConfigForm.php +++ b/modules/monitoring/application/forms/Config/BackendConfigForm.php @@ -227,7 +227,7 @@ class BackendConfigForm extends ConfigForm 'autosubmit' => true ) ); - $resourceName = isset($formData['resource']) ? $formData['resource'] : $this->getValue('resource'); + $resourceName = $this->getView()->escape($formData['resource'] ?? $this->getValue('resource')); $this->addElement( 'note', 'resource_note',