Security: Social: Remove XSS when displaying group messages

2 years ago · 3b98682199
parent 7a0e10cccc
commit 3b98682199
1 changed files with 3 additions and 1 deletions
--- a/main/inc/lib/message.lib.php
+++ b/main/inc/lib/message.lib.php
@ -1941,7 +1941,9 @@ class MessageManager
        $main_content .= '<div class="message-content"> ';
        $main_content .= '<div class="username">'.$user_link.'</div>';
        $main_content .= $date;
-        $main_content .= '<div class="message">'.$main_message['content'].$attachment.'</div></div>';
+        $main_content .= '<div class="message">'
+            .Security::remove_XSS($main_message['content'], STUDENT, true)
+            .$attachment.'</div></div>';
        $main_content .= '</div>';
        $main_content .= '</div>';