SshResourceForm: fix XSS by escaping user-defined resource name

in the tooltip of the message shown instead of the private key.
2022-11-22 13:43:34 +01:00 · 2022-11-22 13:43:34 +01:00 · a3100d378b
parent bdb9fd299b
commit a3100d378b
1 changed files with 2 additions and 2 deletions
--- a/application/forms/Config/Resource/SshResourceForm.php
+++ b/application/forms/Config/Resource/SshResourceForm.php
@ -87,9 +87,9 @@ class SshResourceForm extends Form
                    'value'         => sprintf(
                        '<a href="%1$s" data-base-target="_next" title="%2$s" aria-label="%2$s">%3$s</a>',
                        $this->getView()->url('config/removeresource', array('resource' => $resourceName)),
-                        sprintf($this->translate(
+                        $this->getView()->escape(sprintf($this->translate(
                            'Remove the %s resource'
-                        ), $resourceName),
+                        ), $resourceName)),
                        $this->translate('To modify the private key you must recreate this resource.')
                    )
                )