From e998c059b6162286cf70686f61884fd249dfa38a Mon Sep 17 00:00:00 2001 From: Philipp Date: Sun, 14 May 2023 20:31:20 +0200 Subject: [PATCH] Escape message for notifications --- .../Notifications/Entity/Notify.php | 2 +- .../Notifications/Entity/NotifyTest.php | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tests/src/Navigation/Notifications/Entity/NotifyTest.php diff --git a/src/Navigation/Notifications/Entity/Notify.php b/src/Navigation/Notifications/Entity/Notify.php index b7a007a2f0..45f450b1d1 100644 --- a/src/Navigation/Notifications/Entity/Notify.php +++ b/src/Navigation/Notifications/Entity/Notify.php @@ -134,6 +134,6 @@ class Notify extends BaseEntity */ public static function formatMessage(string $name, string $message): string { - return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', $message); + return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', htmlspecialchars($message)); } } diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php new file mode 100644 index 0000000000..2021759e09 --- /dev/null +++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php @@ -0,0 +1,28 @@ + [ + 'name' => 'Whiskers', + 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ', + 'assertion' => 'Whiskers commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>', + ], + ]; + } + + /** + * @dataProvider dataFormatNotify + */ + public function testFormatNotify(string $name, string $message, string $assertion) + { + self::assertEquals($assertion, Notify::formatMessage($name, $message)); + } +} -- 2.39.5