From daaf32beb5bb80d0f6ec06dd3df845b66c9aa7bd Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Thu, 23 Feb 2017 18:58:17 -0500 Subject: Always escape initials in LetterAvatarProvider --- ChangeLog | 4 ++++ app/User/Avatar/LetterAvatarProvider.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index ff19067c..eaa964bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,10 @@ Bug fixes: * Upload files button stay disabled when there are other submit buttons on the same page * Hiding subtasks from hidden tasks in dashboard + +Security: + +* Fix XSS in LetterAvatarProvider (render broken image) * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules) Version 1.0.39 (Feb 12, 2017) diff --git a/app/User/Avatar/LetterAvatarProvider.php b/app/User/Avatar/LetterAvatarProvider.php index 727f9109..cc417a86 100644 --- a/app/User/Avatar/LetterAvatarProvider.php +++ b/app/User/Avatar/LetterAvatarProvider.php @@ -39,7 +39,7 @@ class LetterAvatarProvider extends Base implements AvatarProviderInterface $rgb[1], $rgb[2], $this->helper->text->e($user['name'] ?: $user['username']), - $initials + $this->helper->text->e($initials) ); } -- cgit v1.2.3