3.7.55.2 - fixed an XSS vulnerability

brandonkelly · brandonkelly · commit 7139213dbd9e · 2022-09-22T07:47:59.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Release Notes for Craft CMS 3.x
 
+## 3.7.55.2 - 2022-09-22
+
+### Security
+- Fixed an XSS vulnerability.
+
 ## 3.7.55.1 - 2022-09-21
 
 ### Fixed
diff --git a/composer.json b/composer.json
@@ -1,7 +1,7 @@
 {
   "name": "craftcms/cms",
   "description": "Craft CMS",
-  "version": "3.7.55.1",
+  "version": "3.7.55.2",
   "keywords": [
     "cms",
     "craftcms",
diff --git a/src/base/Element.php b/src/base/Element.php
@@ -4086,7 +4086,10 @@ public function getMetadata(): array
                 }
                 /** @var RevisionBehavior $behavior */
                 $behavior = $revision->getBehavior('revision');
-                return $behavior->revisionNotes ?: false;
+                if ($behavior->revisionNotes === null || $behavior->revisionNotes === '') {
+                    return false;
+                }
+                return Html::encode($behavior->revisionNotes);
             },
         ]);
     }
diff --git a/src/config/app.php b/src/config/app.php
@@ -3,7 +3,7 @@
 return [
     'id' => 'CraftCMS',
     'name' => 'Craft CMS',
-    'version' => '3.7.55.1',
+    'version' => '3.7.55.2',
     'schemaVersion' => '3.7.33',
     'minVersionRequired' => '2.6.2788',
     'basePath' => dirname(__DIR__), // Defines the @app alias

Original file line number	Diff line number	Diff line change
`@@ -4086,7 +4086,10 @@ public function getMetadata(): array`
`4086`	`4086`	`}`
`4087`	`4087`	`/** @var RevisionBehavior $behavior */`
`4088`	`4088`	`$behavior = $revision->getBehavior('revision');`
`4089`		`- return $behavior->revisionNotes ?: false;`
	`4089`	`+ if ($behavior->revisionNotes === null \|\| $behavior->revisionNotes === '') {`
	`4090`	`+ return false;`
	`4091`	`+ }`
	`4092`	`+ return Html::encode($behavior->revisionNotes);`
`4090`	`4093`	`},`
`4091`	`4094`	`]);`
`4092`	`4095`	`}`