summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--app/User/Avatar/LetterAvatarProvider.php2
2 files changed, 5 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index ff19067c..eaa964bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,10 @@ Bug fixes:
* Upload files button stay disabled when there are other submit buttons on the same page
* Hiding subtasks from hidden tasks in dashboard
+
+Security:
+
+* Fix XSS in LetterAvatarProvider (render broken image)
* Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)
Version 1.0.39 (Feb 12, 2017)
diff --git a/app/User/Avatar/LetterAvatarProvider.php b/app/User/Avatar/LetterAvatarProvider.php
index 727f9109..cc417a86 100644
--- a/app/User/Avatar/LetterAvatarProvider.php
+++ b/app/User/Avatar/LetterAvatarProvider.php
@@ -39,7 +39,7 @@ class LetterAvatarProvider extends Base implements AvatarProviderInterface
$rgb[1],
$rgb[2],
$this->helper->text->e($user['name'] ?: $user['username']),
- $initials
+ $this->helper->text->e($initials)
);
}