Security bug 1819547: Need to escape collection title on matrix page

To avoid potential XSS vector behatnotneeded Change-Id: I00eb57f1421a0969f8da93ace6210f84c0830fa7 Signed-off-by: Robert Lyon <robertl@catalyst.net.nz> (cherry picked from commit 51726c19) (cherry picked from commit 270e2f73)

Security bug 1819547: Need to escape collection title on matrix page
To avoid potential XSS vector behatnotneeded Change-Id: I00eb57f1421a0969f8da93ace6210f84c0830fa7 Signed-off-by: Robert Lyon <robertl@catalyst.net.nz> (cherry picked from commit 51726c19) (cherry picked from commit 270e2f73)
aee824bd · Robert Lyon · Cecilia Vela Gurovic · ac4f9f72 · aee824bd
Commit aee824bd authored Mar 12, 2019 by Robert Lyon Committed by Cecilia Vela Gurovic Apr 30, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

htdocs/module/framework/matrix.php htdocs/module/framework/matrix.php +1 -2

No files found.
--- a/htdocs/module/framework/matrix.php
+++ b/htdocs/module/framework/matrix.php
@@ -37,7 +37,6 @@ if (!$collection->has_framework()) {
        // The collection does have a framework associated but we are not allowed
        // to see the matrix page so show an error page with link to first page of collection.
        $smarty = smarty();
-        $smarty->assign('maintitle', $collection->get('name'));
        $smarty->assign('owner', $collection->get('owner'));
        $smarty->assign('PAGEHEADING', null);
        $smarty->assign('name', get_string('frameworkmissing', 'module.framework'));
@@ -198,7 +197,7 @@ $inlinejs = <<<EOF
 EOF;

 $smarty->assign('INLINEJAVASCRIPT', $inlinejs);
-$smarty->assign('maintitle', $collection->get('name'));
+$smarty->assign('maintitle', hsc($collection->get('name')));
 $smarty->assign('collectionid', $collection->get('id'));
 $smarty->assign('owner', $owner);
 $smarty->assign('PAGEHEADING', null);