Headline
CVE-2022-1588: Merge pull request from GHSA-m8x6-6r63-qvj2 · contao/contao@1992068
Cross-site Scripting (XSS) in GitHub repository contao/contao prior to 4.13.3. Attacker can execute Malicious JS in Application :)
@@ -230,12 +230,12 @@ protected function prepare($objPage)
$this->Template->pageTitle = str_replace('[-]', '’, $this->Template->pageTitle);
// Meta robots tag
$this->Template->robots = $headBag->getMetaRobots();
$this->Template->robots = htmlspecialchars($headBag->getMetaRobots());
// Canonical
if ($objPage->enableCanonical)
{
$this->Template->canonical = $headBag->getCanonicalUriForRequest($request);
$this->Template->canonical = htmlspecialchars($headBag->getCanonicalUriForRequest($request));
}
// Fall back to the default title tag