fix(bazar): no html in template parameter

mrflos · mrflos · commit 107d43056ade · 2025-04-18T16:04:28.000+03:00
diff --git a/tools/bazar/actions/BazarListeAction.php b/tools/bazar/actions/BazarListeAction.php
@@ -76,7 +76,9 @@ public function formatArguments($arg)
         }
 
         $template = $_GET['template'] ?? $arg['template'] ?? null;
-
+        if ($template) {
+            $template = htmlspecialchars($template);
+        }
         // Dynamic templates
         $dynamic = $this->formatBoolean($arg, false, 'dynamic');
 

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,9 @@ public function formatArguments($arg)`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`$template = $_GET['template'] ?? $arg['template'] ?? null;`
`79`		`-`
	`79`	`+ if ($template) {`
	`80`	`+ $template = htmlspecialchars($template);`
	`81`	`+ }`
`80`	`82`	`// Dynamic templates`
`81`	`83`	`$dynamic = $this->formatBoolean($arg, false, 'dynamic');`
`82`	`84`