From 7a72f095fac7128be36118b8e1748b9dbb69c599 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Thu, 17 Oct 2024 10:58:13 -0500
Subject: [PATCH] Security: Portfolio: Apply remove XSS on items and comments
 content - refs BT#22113

---
 main/inc/lib/PortfolioController.php           | 8 ++++----
 main/template/default/portfolio/view.html.twig | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/main/inc/lib/PortfolioController.php b/main/inc/lib/PortfolioController.php
index 7833efdca9a..a9580509738 100644
--- a/main/inc/lib/PortfolioController.php
+++ b/main/inc/lib/PortfolioController.php
@@ -661,7 +661,7 @@ public function addItem()
                 });
                 $(\'#add_portfolio_template\').on(\'change\', function () {
                     $(\'#portfolio-spinner\').show();
-                
+
                     $.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template&item=\' + this.value)
                         .done(function(response) {
                             if (CKEDITOR.instances.title) {
@@ -3994,7 +3994,7 @@ private function createCommentForm(Portfolio $item): string
             $(function() {
                 $(\'#frm_comment_template\').on(\'change\', function () {
                     $(\'#portfolio-spinner\').show();
-                
+
                     $.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template_comment&comment=\' + this.value)
                         .done(function(response) {
                             CKEDITOR.instances.content.setData(response.content);
@@ -4094,7 +4094,7 @@ private function generateItemContent(Portfolio $item): string
             $origin = $em->find(Portfolio::class, $item->getOrigin());
 
             if ($origin) {
-                $originContent = $origin->getContent();
+                $originContent = Security::remove_XSS($origin->getContent());
                 $originContentFooter = vsprintf(
                     get_lang('OriginallyPublishedAsXTitleByYUser'),
                     [
@@ -4107,7 +4107,7 @@ private function generateItemContent(Portfolio $item): string
             $origin = $em->find(PortfolioComment::class, $item->getOrigin());
 
             if ($origin) {
-                $originContent = $origin->getContent();
+                $originContent = Security::remove_XSS($origin->getContent());
                 $originContentFooter = vsprintf(
                     get_lang('OriginallyCommentedByXUserInYItem'),
                     [
diff --git a/main/template/default/portfolio/view.html.twig b/main/template/default/portfolio/view.html.twig
index 93cd033515e..2b8d361663e 100644
--- a/main/template/default/portfolio/view.html.twig
+++ b/main/template/default/portfolio/view.html.twig
@@ -47,7 +47,7 @@
         </ul>
     </header>
 
-    {{ item_content }}
+    {{ item_content|remove_xss }}
 
     {% if attachment_list %}
         <section>