Fix an XSS in the result graph

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

Fix an XSS in the result graph
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
02229c67 · Thomas Citharel · e0028dc8 · 02229c67 · 02229c67
Unverified Commit 02229c67 authored Jul 19, 2021 by Thomas Citharel
--- a/app/inc/smarty.php
+++ b/app/inc/smarty.php
@@ -73,6 +73,10 @@ function smarty_modifier_addslashes_single_quote($string) {
    return addcslashes($string, '\\\'');
 }

+function smarty_modifier_addslashes($string) {
+    return addslashes($string);
+}
+
 function smarty_modifier_html($html) {
    return Utils::htmlEscape($html);
 }

--- a/tpl/part/vote_table_classic.tpl
+++ b/tpl/part/vote_table_classic.tpl
@@ -282,7 +282,7 @@
                });
                var cols = [
                {foreach $slots as $id=>$slot}
-                    $('<div/>').html('{$slot->title|markdown:true}').text(),
+                    "{$slot->title|markdown:true|addslashes}",
                {/foreach}
                ];