Headline
CVE-2022-25317: fix: [security] genericForm reflected XSS in form descriptions for us… · cerebrate-project/cerebrate@e60d97c
An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description.
@@ -106,7 +106,7 @@
'%s%s%s%s%s%s’,
empty($data[‘description’]) ? ‘’ : sprintf(
'<div class="pb-2 fw-light">%s</div>’,
$data[‘description’]
h($data[‘description’])
),
$ajaxFlashMessage,
$formCreate,
@@ -131,7 +131,7 @@
'%s%s%s%s%s%s’,
empty($data[‘description’]) ? ‘’ : sprintf(
'<div class="pb-2">%s</div>’,
$data[‘description’]
h($data[‘description’])
),
$ajaxFlashMessage,
$formCreate,
@@ -157,7 +157,7 @@
$ajaxFlashMessage,
empty($data[‘description’]) ? ‘’ : sprintf(
'<div class="pb-3 fw-light">%s</div>’,
$data[‘description’]
h($data[‘description’])
),
sprintf('<div class="panel">%s</div>’, $fieldsString),
empty($metaTemplateString) ? ‘’ : $this->element(