Merge branch 'ent-12043-cve-2023-41814-vulnerabilidad-xss-mensajes' into 'develop'

Ent 12043 cve 2023 41814 vulnerabilidad xss mensajes

See merge request artica/pandorafms!6492

pandora_console/operation/messages/message_edit.php

@@ -38,7 +38,7 @@ $send_mes     = (bool) get_parameter('send_mes', false);
 $new_msg      = (string) get_parameter('new_msg');
 $dst_user     = get_parameter('dst_user');
 $dst_group    = get_parameter('dst_group');
-$subject      = io_safe_html_tags(get_parameter('subject'));
+$subject      = io_safe_input(get_parameter('subject'));
 $message      = (string) get_parameter('message');
 $read_message = (bool) get_parameter('read_message', false);
 $reply        = (bool) get_parameter('reply', false);
@@ -132,7 +132,7 @@ if ($read_message) {
         echo '<h1>Conversation with '.$user_name.'</h1>';
     }
 
-    echo '<h2>Subject: '.$message['subject'].'</h2>';
+    echo '<h2>Subject: '.io_safe_output($message['subject']).'</h2>';
 
     $conversation = messages_get_conversation($message);
 

pandora_console/operation/messages/message_list.php

@@ -259,7 +259,7 @@ if (empty($messages) === true) {
             $pathSubject = 'index.php?sec=message_list&sec2=operation/messages/message_edit&read_message=1&id_message='.$message_id;
         }
 
-        $contentSubject = (empty($message['subject']) === true) ? __('No Subject') : $message['subject'];
+        $contentSubject = (empty($message['subject']) === true) ? __('No Subject') : io_safe_output($message['subject']);
 
         if ((int) $message['read'] !== 1) {
             $contentSubject = '<strong>'.$contentSubject.'</strong>';