From 41a8c75a4f3ecfebb0c3745311cf8b679c33bc2a Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 19 Feb 2016 15:22:10 +0100 Subject: [PATCH] FilterEditor: always escape filter embedded in HTML --- library/Icinga/Web/Widget/FilterEditor.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/Icinga/Web/Widget/FilterEditor.php b/library/Icinga/Web/Widget/FilterEditor.php index 8457c905d..d6f186fdd 100644 --- a/library/Icinga/Web/Widget/FilterEditor.php +++ b/library/Icinga/Web/Widget/FilterEditor.php @@ -714,7 +714,7 @@ class FilterEditor extends AbstractWidget } else { $title = t('Modify this filter'); if (! $this->filter->isEmpty()) { - $title .= ': ' . $this->filter; + $title .= ': ' . $this->view()->escape($this->filter); } } return $html @@ -732,7 +732,7 @@ class FilterEditor extends AbstractWidget public function render() { if (! $this->preservedUrl()->getParam('modifyFilter')) { - return '
' . $this->renderSearch() . $this->shorten($this->filter, 50) . '
'; + return '
' . $this->renderSearch() . $this->view()->escape($this->shorten($this->filter, 50)) . '
'; } return '
' . $this->renderSearch()