Headline
CVE-2023-5891: pkp/pkp-lib#9306 Escape context names in form field labels · pkp/pkp-lib@d4111c4
Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
Expand Up @@ -49,7 +49,7 @@ public function __construct($action, $locales, $site) { foreach ($contextsIterator as $context) { $options[] = [ ‘value’ => $context->getId(), ‘label’ => $context->getLocalizedData(‘name’), ‘label’ => htmlspecialchars($context->getLocalizedData(‘name’)), ]; } if (count($options) > 1) $this->addField(new FieldSelect('redirect’, [ Expand Down