tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-04-08 17:15:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

SshResourceForm: fix XSS by escaping user-defined resource name

Browse Source 
in the tooltip of the message shown instead of the private key.
This commit is contained in:
Alexander A. Klimov 2022-11-22 13:43:34 +01:00 committed by Johannes Meyer
parent bdb9fd299b
commit a3100d378b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
application/forms/Config/Resource/SshResourceForm.php
View File

@ -87,9 +87,9 @@ class SshResourceForm extends Form
'value' => sprintf(
'<a href="%1$s" data-base-target="_next" title="%2$s" aria-label="%2$s">%3$s</a>',
$this->getView()->url('config/removeresource', array('resource' => $resourceName)),
sprintf($this->translate(
$this->getView()->escape(sprintf($this->translate(
'Remove the %s resource'
), $resourceName),
), $resourceName)),
$this->translate('To modify the private key you must recreate this resource.')
)
)