From 6412a582617a39b0a699a1227fdb7337256167c3 Mon Sep 17 00:00:00 2001 From: Christophe Coevoet Date: Sat, 6 Apr 2019 11:38:26 +0200 Subject: [PATCH] Fix XSS issues in the form theme of the PHP templating engine --- Resources/views/Form/choice_widget_collapsed.html.php | 2 +- Resources/views/Form/form_errors.html.php | 2 +- Resources/views/Form/form_start.html.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Resources/views/Form/choice_widget_collapsed.html.php b/Resources/views/Form/choice_widget_collapsed.html.php index c63d354e1..6a57d585c 100644 --- a/Resources/views/Form/choice_widget_collapsed.html.php +++ b/Resources/views/Form/choice_widget_collapsed.html.php @@ -11,7 +11,7 @@ 0): ?> block($form, 'choice_widget_options', ['choices' => $preferred_choices]) ?> 0 && null !== $separator): ?> - + block($form, 'choice_widget_options', ['choices' => $choices]) ?> diff --git a/Resources/views/Form/form_errors.html.php b/Resources/views/Form/form_errors.html.php index 77c60d7df..d97179e9a 100644 --- a/Resources/views/Form/form_errors.html.php +++ b/Resources/views/Form/form_errors.html.php @@ -1,7 +1,7 @@ 0): ?> diff --git a/Resources/views/Form/form_start.html.php b/Resources/views/Form/form_start.html.php index ba2f3a479..7e2442580 100644 --- a/Resources/views/Form/form_start.html.php +++ b/Resources/views/Form/form_start.html.php @@ -1,6 +1,6 @@ -
action="" $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?> enctype="multipart/form-data"> + action="escape($action) ?>" $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?> enctype="multipart/form-data"> - +