From f984e385c89f53a4eeaf06642da856b5ed304688 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Wed, 2 Aug 2023 16:59:08 +0200 Subject: [PATCH] Escape HTML in system messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Thanks to Laura Pîrcălăboiu for the report --- src/Module/Notifications/Ping.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Module/Notifications/Ping.php b/src/Module/Notifications/Ping.php index 120035d55..e54bd577b 100644 --- a/src/Module/Notifications/Ping.php +++ b/src/Module/Notifications/Ping.php @@ -52,6 +52,7 @@ use Friendica\Network\HTTPException; use Friendica\Protocol\Activity; use Friendica\Util\DateTimeFormat; use Friendica\Util\Profiler; +use Friendica\Util\Strings; use GuzzleHttp\Psr7\Uri; use Psr\Log\LoggerInterface; @@ -296,8 +297,8 @@ class Ping extends BaseModule $data['notifications'] = $navNotifications; $data['sysmsgs'] = [ - 'notice' => $this->systemMessages->flushNotices(), - 'info' => $this->systemMessages->flushInfos(), + 'notice' => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushNotices()), + 'info' => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushInfos()), ]; if (isset($_GET['callback'])) {