diff --git a/concrete/blocks/file/view.php b/concrete/blocks/file/view.php index ba943b0a8e0..908f465258f 100644 --- a/concrete/blocks/file/view.php +++ b/concrete/blocks/file/view.php @@ -16,7 +16,7 @@ ?>
- getLinkText()) ?> + getLinkText())) ?>
error->has()) { $response = new EditResponse(); - $response->setMessage(t('%s deleted successfully.', $searchPreset->getPresetName())); + $response->setMessage(t('%s deleted successfully.', h($searchPreset->getPresetName()))); $response->setAdditionalDataAttribute('presetID', $presetID); $em = $this->app->make(\Doctrine\ORM\EntityManager::class); $em->remove($searchPreset); diff --git a/concrete/controllers/dialog/file/preset/delete.php b/concrete/controllers/dialog/file/preset/delete.php index 6c30407cf8e..f2e73174491 100644 --- a/concrete/controllers/dialog/file/preset/delete.php +++ b/concrete/controllers/dialog/file/preset/delete.php @@ -46,7 +46,7 @@ public function remove_search_preset() } if (!$this->error->has()) { $response = new EditResponse(); - $response->setMessage(t('%s deleted successfully.', $searchPreset->getPresetName())); + $response->setMessage(t('%s deleted successfully.', h($searchPreset->getPresetName()))); $response->setAdditionalDataAttribute('presetID', $presetID); $node = TreeNodeSearchPreset::getNodeBySavedSearchID($presetID); if (is_object($node)) { diff --git a/concrete/controllers/dialog/search/preset/delete.php b/concrete/controllers/dialog/search/preset/delete.php index 2a7a091b0e5..0a49f958305 100644 --- a/concrete/controllers/dialog/search/preset/delete.php +++ b/concrete/controllers/dialog/search/preset/delete.php @@ -48,7 +48,7 @@ public function remove_search_preset() } if (!$this->error->has()) { $response = new EditResponse(); - $response->setMessage(t('%s deleted successfully.', $searchPreset->getPresetName())); + $response->setMessage(t('%s deleted successfully.', h($searchPreset->getPresetName()))); $response->setAdditionalDataAttribute('presetID', $presetID); $em = $this->app->make(EntityManager::class); $em->remove($searchPreset); diff --git a/concrete/controllers/dialog/search/preset/edit.php b/concrete/controllers/dialog/search/preset/edit.php index 2df2da926fb..216c6ff0f3e 100644 --- a/concrete/controllers/dialog/search/preset/edit.php +++ b/concrete/controllers/dialog/search/preset/edit.php @@ -49,7 +49,7 @@ public function edit_search_preset() } if (!$this->error->has()) { $response = new EditResponse(); - $response->setMessage(t('%s edited successfully.', $newPresetName)); + $response->setMessage(t('%s edited successfully.', h($newPresetName))); $response->setAdditionalDataAttribute('presetID', $presetID); $response->setAdditionalDataAttribute('actionURL', (string) $this->getSavedSearchBaseURL($searchPreset)); $searchPreset->setPresetName($newPresetName); diff --git a/concrete/single_pages/dashboard/system/calendar/colors.php b/concrete/single_pages/dashboard/system/calendar/colors.php index 52ff99e7999..aa9b3492e6a 100644 --- a/concrete/single_pages/dashboard/system/calendar/colors.php +++ b/concrete/single_pages/dashboard/system/calendar/colors.php @@ -8,11 +8,11 @@
label('defaultBackgroundColor', t('Background'))?> - output('defaultBackgroundColor', $defaultBackgroundColor)?> + output('defaultBackgroundColor', h($defaultBackgroundColor))?>
label('defaultTextColor', t('Text'))?> - output('defaultTextColor', $defaultTextColor)?> + output('defaultTextColor', h($defaultTextColor))?>
@@ -45,10 +45,10 @@ checkbox('override[]', $topic->getTreeNodeID(), $checked)?> getTreeNodeDisplayName()?> - output('backgroundColor[' . $topic->getTreeNodeID() . ']', $backgroundColor)?> - output('textColor[' . $topic->getTreeNodeID() . ']', $textColor)?> + output('backgroundColor[' . $topic->getTreeNodeID() . ']', h($backgroundColor))?> + output('textColor[' . $topic->getTreeNodeID() . ']', h($textColor))?> - diff --git a/concrete/src/StyleCustomizer/Inline/StyleSet.php b/concrete/src/StyleCustomizer/Inline/StyleSet.php index 1d9b13551c7..f5156ba5942 100644 --- a/concrete/src/StyleCustomizer/Inline/StyleSet.php +++ b/concrete/src/StyleCustomizer/Inline/StyleSet.php @@ -256,8 +256,14 @@ public static function populateFromRequest(Request $request) $v = $post->get('customClass'); if (is_array($v)) { - $set->setCustomClass(implode(' ', $v)); - $return = true; + $v = array_filter($v, function ($class) { + return preg_match('/^-?[_a-zA-Z]+[_a-zA-Z0-9-]*$/', $class); + }); + + if (count($v) > 0) { + $set->setCustomClass(implode(' ', $v)); + $return = true; + } } $v = trim($post->get('customID', '')); diff --git a/concrete/views/dialogs/search/preset/delete.php b/concrete/views/dialogs/search/preset/delete.php index e7b35bda8ae..ff25a3ca9e6 100644 --- a/concrete/views/dialogs/search/preset/delete.php +++ b/concrete/views/dialogs/search/preset/delete.php @@ -4,7 +4,7 @@
output('remove_search_preset'); ?> hidden('presetID', $searchPreset->getId()); ?> -

getPresetName()); ?>

+

getPresetName())); ?>

diff --git a/concrete/views/dialogs/search/preset/edit.php b/concrete/views/dialogs/search/preset/edit.php index 2a60468c318..fdfb31be888 100644 --- a/concrete/views/dialogs/search/preset/edit.php +++ b/concrete/views/dialogs/search/preset/edit.php @@ -6,7 +6,7 @@ hidden('presetID', $searchPreset->getId()); ?>
label('presetName', t('Name')); ?> - text('presetName', $searchPreset->getPresetName()); ?> + text('presetName', h($searchPreset->getPresetName())); ?>