Skip to content

Commit

Permalink
[FIX] Stored-XSS using htmlentities() in audit log
Browse files Browse the repository at this point in the history
  • Loading branch information
@alromh87
alromh87 committed Sep 24, 2020
1 parent 098e345 commit 4e2b8d1
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions app/Helpers/AuditLogHelper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,17 +31,16 @@ public static function getCollectionOfAuditForSettings($logs): Collection
'logs.settings_log_'.$log->action.'_with_name_with_link',
[
'link' => '/people/'.$contact->hashId(),
'name' => $contact->name,
'name' => htmlentities($contact->name, ENT_QUOTES, 'utf-8'),
]
);
} catch (ModelNotFoundException $e) {
// the contact doesn't exist anymore, we don't need a link, we'll only display a name
$description = trans('logs.settings_log_'.$log->action.'_with_name', ['name' => $log->object->{'contact_name'}]);
$description = trans('logs.settings_log_'.$log->action.'_with_name', ['name' => htmlentities($log->object->{'contact_name'}, ENT_QUOTES, 'utf-8')]);
}
} else {
$description = trans('logs.settings_log_'.$log->action, ['name' => $log->object->{'name'}]);
}

$logsCollection->push([
'author_name' => ($log->author) ? $log->author->name : $log->author_name,
'description' => $description,
Expand Down

0 comments on commit 4e2b8d1

Please sign in to comment.