diff options
author | Frederic Guillot <fred@kanboard.net> | 2017-02-23 18:58:17 -0500 |
---|---|---|
committer | Frederic Guillot <fred@kanboard.net> | 2017-02-23 18:58:17 -0500 |
commit | daaf32beb5bb80d0f6ec06dd3df845b66c9aa7bd (patch) | |
tree | d3695d9daa16e5bd697548ff1486843d96d79d0a | |
parent | dd579937e36ec494372d8d99b49d0943ea2b721d (diff) |
Always escape initials in LetterAvatarProvider
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | app/User/Avatar/LetterAvatarProvider.php | 2 |
2 files changed, 5 insertions, 1 deletions
@@ -38,6 +38,10 @@ Bug fixes: * Upload files button stay disabled when there are other submit buttons on the same page * Hiding subtasks from hidden tasks in dashboard + +Security: + +* Fix XSS in LetterAvatarProvider (render broken image) * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules) Version 1.0.39 (Feb 12, 2017) diff --git a/app/User/Avatar/LetterAvatarProvider.php b/app/User/Avatar/LetterAvatarProvider.php index 727f9109..cc417a86 100644 --- a/app/User/Avatar/LetterAvatarProvider.php +++ b/app/User/Avatar/LetterAvatarProvider.php @@ -39,7 +39,7 @@ class LetterAvatarProvider extends Base implements AvatarProviderInterface $rgb[1], $rgb[2], $this->helper->text->e($user['name'] ?: $user['username']), - $initials + $this->helper->text->e($initials) ); } |