N°8168 - Stored XSS in portals lnk

bdalsass · bdalsass · commit 81b20ee5831a · 2025-05-23T08:42:56.000+02:00
diff --git a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
@@ -611,7 +611,7 @@ protected function PrepareItems(&$aItems, &$aItemIds)
 					if ($oAttDef->IsExternalKey())
 					{
 						/** @var \AttributeExternalKey $oAttDef */
-						$aAttProperties['value'] = $oRemoteItem->Get($sAttCode . '_friendlyname');
+						$aAttProperties['value'] = \Str::pure2html($oRemoteItem->Get($sAttCode . '_friendlyname'));
 
 						// Checking if user can access object's external key
 						$sObjectUrl = ApplicationContext::MakeObjectUrl($oAttDef->GetTargetClass(), $oRemoteItem->Get($sAttCode));

Original file line number	Diff line number	Diff line change
`@@ -611,7 +611,7 @@ protected function PrepareItems(&$aItems, &$aItemIds)`
`611`	`611`	`if ($oAttDef->IsExternalKey())`
`612`	`612`	`{`
`613`	`613`	`/** @var \AttributeExternalKey $oAttDef */`
`614`		`- $aAttProperties['value'] = $oRemoteItem->Get($sAttCode . '_friendlyname');`
	`614`	`+ $aAttProperties['value'] = \Str::pure2html($oRemoteItem->Get($sAttCode . '_friendlyname'));`
`615`	`615`
`616`	`616`	`// Checking if user can access object's external key`
`617`	`617`	`$sObjectUrl = ApplicationContext::MakeObjectUrl($oAttDef->GetTargetClass(), $oRemoteItem->Get($sAttCode));`