bugfix: avoid XSS in new operaton form in customer balance box (LMS #…

…1910)
chilek · Apr 8, 2021 · bb0c8ca · bb0c8ca
1 parent 50ba542
commit bb0c8ca
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/templates/default/customer/customerbalancebox.html b/templates/default/customer/customerbalancebox.html
@@ -130,7 +130,7 @@
 					<TD class="text-right nobr{if $item.after < 0} red{/if}">{moneyf($item.after)}</TD>
 					<TD class="comment"
 						{if $item.doctype == $smarty.const.DOC_INVOICE && !empty($item.reference) && $aggregate_documents && !empty($item.documentcomment)} title="{$item.documentcomment}"{/if}
-						>{$item.comment}</TD>
+						>{$item.comment|escape}</TD>
 					<TD class="text-right nobr">
 						{foreach $item.customlinks as $link}
 							<A {if isset($link.url)} href="{$link.url}" {/if} rel="external" {if isset($link.onclick)} onclick="{$link.onclick}"{/if}>{if isset($link.icon)}<IMG src="{$link.icon}" alt="{$link.label}" {$link.tip}>{else}{$link.label}{/if}</A>