bugfix: avoid XSS in nodeadd (LMS #1910)

chilek · Jan 17, 2021 · ae841da · ae841da
1 parent 4b88c7e
commit ae841da
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/templates/default/node/nodeaddbox.html b/templates/default/node/nodeaddbox.html
@@ -217,7 +217,7 @@
 												>{$project.name|escape}</OPTION>
 										{/foreach}
 									</SELECT>
-									<INPUT TYPE="TEXT" NAME="nodedata[projectname]" VALUE="{$nodedata.projectname}"
+									<INPUT TYPE="TEXT" NAME="nodedata[projectname]" VALUE="{$nodedata.projectname|escape}"
 										{tip text="Enter new project name" trigger="projectname" } id="projectname"
 										{if !isset($nodedata.invprojectid) || empty($nodedata.invprojectid)} style="display: none;"{/if}>