4 files changed, 23 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 183913b9..ff19067c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,7 @@ Bug fixes:
 
 * Upload files button stay disabled when there are other submit buttons on the same page
 * Hiding subtasks from hidden tasks in dashboard
+* Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)
 
 Version 1.0.39 (Feb 12, 2017)
 -----------------------------
diff --git a/app/Helper/TextHelper.php b/app/Helper/TextHelper.php
index 66583cd1..89c1a8f3 100644
--- a/app/Helper/TextHelper.php
+++ b/app/Helper/TextHelper.php
@@ -25,6 +25,19 @@ class TextHelper extends Base
     }
 
     /**
+     * Join with HTML escaping
+     *
+     * @param  $glue
+     * @param  array $list
+     * @return string
+     */
+    public function implode($glue, array $list)
+    {
+        array_walk($list, function (&$value) { $value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8', false); });
+        return implode($glue, $list);
+    }
+
+    /**
      * Markdown transformation
      *
      * @param  string    $text
diff --git a/app/Template/project_overview/information.php b/app/Template/project_overview/information.php
index 0fe53e08..e8c20903 100644
--- a/app/Template/project_overview/information.php
+++ b/app/Template/project_overview/information.php
@@ -13,8 +13,8 @@
                     <?php foreach ($roles as $role => $role_name): ?>
                         <?php if (isset($users[$role])): ?>
                             <li>
-                                <?= $role_name ?>:
-                                <strong><?= implode(', ', $users[$role]) ?></strong>
+                                <?= $this->text->e($role_name) ?>:
+                                <strong><?= $this->text->implode(', ', $users[$role]) ?></strong>
                             </li>
                         <?php endif ?>
                     <?php endforeach ?>
diff --git a/tests/units/Helper/TextHelperTest.php b/tests/units/Helper/TextHelperTest.php
index 35ed5a1e..abe921fe 100644
--- a/tests/units/Helper/TextHelperTest.php
+++ b/tests/units/Helper/TextHelperTest.php
@@ -9,6 +9,13 @@ use Kanboard\Model\UserModel;
 
 class TextHelperTest extends Base
 {
+    public function testImplode()
+    {
+        $textHelper = new TextHelper($this->container);
+        $html = '&lt;img src=x onerror=alert(0)&gt;';
+        $this->assertEquals($html, $textHelper->implode(', ', array('<img src=x onerror=alert(0)>')));
+    }
+
     public function testMarkdownTaskLink()
     {
         $textHelper = new TextHelper($this->container);