Address H1 3247363

mlocati · mlocati · commit 13114d57aae2 · 2025-08-05T12:01:25.000+02:00
diff --git a/attributes/textarea/form.php b/attributes/textarea/form.php
@@ -1,12 +1,20 @@
 <?php
+/**
+ * @var Concrete\Core\Attribute\View $view
+ * @var Concrete\Core\Form\Service\Form $form
+ * @var string $akTextareaDisplayMode
+ * @var string|null $value
+ */
+
+$value = $value ?? '';
 
 // switch display type here
 if ($akTextareaDisplayMode == 'text' || $akTextareaDisplayMode == '') { ?>
 
     <?php
     echo $form->textarea(
         $view->controller->field('value'),
-        h($value),
+        htmlspecialchars($value, ENT_QUOTES, APP_CHARSET),
         array('rows' => 5)
     );
     ?>
@@ -27,11 +35,11 @@
     /*
     echo Core::make('editor')->outputSimpleEditor(
         $view->controller->field('value'),
-        h($value)
+        htmlspecialchars($value, ENT_QUOTES, APP_CHARSET)
     );*/
     echo Core::make('editor')->outputStandardEditor(
         $view->controller->field('value'),
-        h($value)
+        htmlspecialchars($value, ENT_QUOTES, APP_CHARSET)
     );
 
 }
diff --git a/blocks/faq/form_setup_html.php b/blocks/faq/form_setup_html.php
@@ -79,7 +79,7 @@
                 </div>
                 <div class="form-group">
                     <label class="control-label form-label"><?php echo t('Description'); ?></label>
-                    <textarea class='editor-content' name="description[]"><?php echo $row['description']; ?></textarea>
+                    <textarea class='editor-content' name="description[]"><?php echo htmlspecialchars((string) $row['description'], ENT_QUOTES, APP_CHARSET); ?></textarea>
                 </div>
                 <button type="button" class="btn btn-sm btn-secondary ccm-edit-entry" data-entry-close-text="<?php echo t('Collapse Entry'); ?>" data-entry-edit-text="<?php echo t('Edit Entry'); ?>"><?php echo t('Edit Entry'); ?></button>
                 <button type="button" class="btn btn-sm btn-danger ccm-delete-faq-entry"><?php echo t('Remove'); ?></button>
diff --git a/blocks/feature/form.php b/blocks/feature/form.php
@@ -60,7 +60,7 @@
         <?php echo $form->label('paragraph', t('Paragraph:'));?>
         <?php
             $editor = Core::make('editor');
-            echo $editor->outputBlockEditModeEditor('paragraph', $controller->getParagraphEditMode());
+            echo $editor->outputBlockEditModeEditor('paragraph', htmlspecialchars($controller->getParagraphEditMode(), ENT_QUOTES, APP_CHARSET));
         ?>
     </div>
 
diff --git a/blocks/feature_link/edit.php b/blocks/feature_link/edit.php
@@ -52,7 +52,7 @@
     <div class="mb-3">
         <label class="form-label" for="body"><?=t('Body')?></label>
         <?php
-        echo $editor->outputBlockEditModeEditor('body', isset($body) ? LinkAbstractor::translateFromEditMode($body) : null);
+        echo $editor->outputBlockEditModeEditor('body', isset($body) ? htmlspecialchars(LinkAbstractor::translateFromEditMode($body), ENT_QUOTES, APP_CHARSET) : null);
         ?>
     </div>
 </fieldset>
diff --git a/blocks/hero_image/edit.php b/blocks/hero_image/edit.php
@@ -41,7 +41,7 @@
     <div class="mb-3">
         <label class="form-label" for="body"><?=t('Body')?></label>
         <?php
-        echo $editor->outputBlockEditModeEditor('body', isset($body) ? LinkAbstractor::translateFromEditMode($body) : null);
+        echo $editor->outputBlockEditModeEditor('body', isset($body) ? htmlspecialchars(LinkAbstractor::translateFromEditMode($body), ENT_QUOTES, APP_CHARSET) : null);
         ?>
     </div>
 </fieldset>
diff --git a/blocks/image_slider/form_setup_html.php b/blocks/image_slider/form_setup_html.php
@@ -240,7 +240,7 @@ class="btn btn-success ccm-add-image-slider-entry ccm-add-image-slider-entry-<?p
             link_url: '<?php echo $row['linkURL']; ?>',
             link_type: '<?php echo $linkType; ?>',
             title: '<?php echo addslashes(h($row['title'])); ?>',
-            description: '<?php echo str_replace(["\t", "\r", "\n"], "", addslashes(h($row['description']))); ?>',
+            description: <?= json_encode((string) $row['description']) ?>,
             sort_order: '<?php echo $row['sortOrder']; ?>'
         }));
         sliderEntriesContainer.find('.ccm-image-slider-entry-<?php echo $bID; ?>:last-child div[data-field=entry-link-page-selector]').concretePageSelector({
@@ -460,7 +460,7 @@ class="btn btn-success ccm-add-image-slider-entry ccm-add-image-slider-entry-<?p
             <!--suppress HtmlFormInputWithoutLabel -->
             <textarea id="ccm-slide-editor-<%= _.uniqueId() %>" style="display: none"
                       class="editor-content editor-content-<?php echo $bID; ?>"
-                      name="<?php echo $view->field('description'); ?>[]"><%=description%></textarea>
+                      name="<?php echo $view->field('description'); ?>[]"><%- description %></textarea>
         </div>
         <div class="form-group">
             <label class="control-label form-label"><?php echo t('Link'); ?></label>
