Always escape initials in LetterAvatarProvider

2017-02-23 18:58:17 -05:00 · 2017-02-23 18:58:17 -05:00 · daaf32beb5
parent dd579937e3
commit daaf32beb5
2 changed files with 5 additions and 1 deletions
--- a/4
+++ b/4
@ -38,6 +38,10 @@ Bug fixes:

 * Upload files button stay disabled when there are other submit buttons on the same page
 * Hiding subtasks from hidden tasks in dashboard
+
+Security:
+
+* Fix XSS in LetterAvatarProvider (render broken image)
 * Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)

 Version 1.0.39 (Feb 12, 2017)
--- a/app/User/Avatar/LetterAvatarProvider.php
+++ b/app/User/Avatar/LetterAvatarProvider.php
@ -39,7 +39,7 @@ class LetterAvatarProvider extends Base implements AvatarProviderInterface
            $rgb[1],
            $rgb[2],
            $this->helper->text->e($user['name'] ?: $user['username']),
-            $initials
+            $this->helper->text->e($initials)
        );
    }