cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] genericForm reflected XSS in form descriptions for user controlled descriptions 

- accessible via the MISP local tool setting change
- sanitise the description

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-03 23:54:47 +01:00
parent 5fbd53883f
commit e60d97c214
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
templates/element/genericElements/Form/genericForm.php
View File

@ -106,7 +106,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'<div class="pb-2 fw-light">%s</div>',
$data['description']
h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
@ -131,7 +131,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'<div class="pb-2">%s</div>',
$data['description']
h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
@ -157,7 +157,7 @@
$ajaxFlashMessage,
empty($data['description']) ? '' : sprintf(
'<div class="pb-3 fw-light">%s</div>',
$data['description']
h($data['description'])
),
sprintf('<div class="panel">%s</div>', $fieldsString),
empty($metaTemplateString) ? '' : $this->element(