From a3100d378b125bbc4c5587e0bddd55b1f0300a83 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 22 Nov 2022 13:43:34 +0100 Subject: [PATCH] SshResourceForm: fix XSS by escaping user-defined resource name in the tooltip of the message shown instead of the private key. --- application/forms/Config/Resource/SshResourceForm.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/forms/Config/Resource/SshResourceForm.php b/application/forms/Config/Resource/SshResourceForm.php index 88265fca2..a15dc8c37 100644 --- a/application/forms/Config/Resource/SshResourceForm.php +++ b/application/forms/Config/Resource/SshResourceForm.php @@ -87,9 +87,9 @@ class SshResourceForm extends Form 'value' => sprintf( '%3$s', $this->getView()->url('config/removeresource', array('resource' => $resourceName)), - sprintf($this->translate( + $this->getView()->escape(sprintf($this->translate( 'Remove the %s resource' - ), $resourceName), + ), $resourceName)), $this->translate('To modify the private key you must recreate this resource.') ) )