[Web] escape html of alert messages

mailcow · Apr 4, 2024 · cf2fda6 · cf2fda6
1 parent cd24057
commit cf2fda6
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
@@ -12,7 +12,8 @@
 $alerts = [];
 if (is_array($alertbox_log_parser)) {
   foreach ($alertbox_log_parser as $log) {
-    $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '<br>']);
+    $message = htmlspecialchars($log['msg'], ENT_QUOTES);
+    $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '<br>']);
     $alerts[trim($log['type'], '"')][] = trim($message, '"');
   }
   $alert = array_filter(array_unique($alerts));