Merge pull request #13655 from keithhacks/escape-notification-contact-names

(Security) HTML-escape notification contact names
This commit is contained in:
Hypolite Petovan 2023-11-19 23:02:15 -05:00 committed by GitHub
commit 676ce83dab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -134,6 +134,6 @@ class Notify extends BaseEntity
*/ */
public static function formatMessage(string $name, string $message): string public static function formatMessage(string $name, string $message): string
{ {
return str_replace('{0}', '<span class="contactname">' . BBCode::toPlaintext($name, false) . '</span>', htmlspecialchars($message)); return str_replace('{0}', '<span class="contactname">' . htmlspecialchars(BBCode::toPlaintext($name, false)) . '</span>', htmlspecialchars($message));
} }
} }