Security: Portfolio: Apply remove XSS on items and comments content -…

… refs BT#22113
chamilo · Oct 17, 2024 · 7a72f09 · 7a72f09
1 parent b544020
commit 7a72f09
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/main/inc/lib/PortfolioController.php b/main/inc/lib/PortfolioController.php
@@ -661,7 +661,7 @@ public function addItem()
                 });
                 $(\'#add_portfolio_template\').on(\'change\', function () {
                     $(\'#portfolio-spinner\').show();
-                
+
                     $.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template&item=\' + this.value)
                         .done(function(response) {
                             if (CKEDITOR.instances.title) {
@@ -3994,7 +3994,7 @@ private function createCommentForm(Portfolio $item): string
             $(function() {
                 $(\'#frm_comment_template\').on(\'change\', function () {
                     $(\'#portfolio-spinner\').show();
-                
+
                     $.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template_comment&comment=\' + this.value)
                         .done(function(response) {
                             CKEDITOR.instances.content.setData(response.content);
@@ -4094,7 +4094,7 @@ private function generateItemContent(Portfolio $item): string
             $origin = $em->find(Portfolio::class, $item->getOrigin());
 
             if ($origin) {
-                $originContent = $origin->getContent();
+                $originContent = Security::remove_XSS($origin->getContent());
                 $originContentFooter = vsprintf(
                     get_lang('OriginallyPublishedAsXTitleByYUser'),
                     [
@@ -4107,7 +4107,7 @@ private function generateItemContent(Portfolio $item): string
             $origin = $em->find(PortfolioComment::class, $item->getOrigin());
 
             if ($origin) {
-                $originContent = $origin->getContent();
+                $originContent = Security::remove_XSS($origin->getContent());
                 $originContentFooter = vsprintf(
                     get_lang('OriginallyCommentedByXUserInYItem'),
                     [

diff --git a/main/template/default/portfolio/view.html.twig b/main/template/default/portfolio/view.html.twig
@@ -47,7 +47,7 @@
         </ul>
     </header>
 
-    {{ item_content }}
+    {{ item_content|remove_xss }}
 
     {% if attachment_list %}
         <section>