diff --git a/ChangeLog b/ChangeLog
index 183913b9a..ff19067c5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,7 @@ Bug fixes:
* Upload files button stay disabled when there are other submit buttons on the same page
* Hiding subtasks from hidden tasks in dashboard
+* Avoid potential XSS in project overview when listing users (was avoided by default CSP rules)
Version 1.0.39 (Feb 12, 2017)
-----------------------------
diff --git a/app/Helper/TextHelper.php b/app/Helper/TextHelper.php
index 66583cd18..89c1a8f39 100644
--- a/app/Helper/TextHelper.php
+++ b/app/Helper/TextHelper.php
@@ -24,6 +24,19 @@ class TextHelper extends Base
return htmlspecialchars($value, ENT_QUOTES, 'UTF-8', false);
}
+ /**
+ * Join with HTML escaping
+ *
+ * @param $glue
+ * @param array $list
+ * @return string
+ */
+ public function implode($glue, array $list)
+ {
+ array_walk($list, function (&$value) { $value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8', false); });
+ return implode($glue, $list);
+ }
+
/**
* Markdown transformation
*
diff --git a/app/Template/project_overview/information.php b/app/Template/project_overview/information.php
index 0fe53e081..e8c20903f 100644
--- a/app/Template/project_overview/information.php
+++ b/app/Template/project_overview/information.php
@@ -13,8 +13,8 @@
$role_name): ?>
- :
-
+ text->e($role_name) ?>:
+ text->implode(', ', $users[$role]) ?>
diff --git a/tests/units/Helper/TextHelperTest.php b/tests/units/Helper/TextHelperTest.php
index 35ed5a1e2..abe921fea 100644
--- a/tests/units/Helper/TextHelperTest.php
+++ b/tests/units/Helper/TextHelperTest.php
@@ -9,6 +9,13 @@ use Kanboard\Model\UserModel;
class TextHelperTest extends Base
{
+ public function testImplode()
+ {
+ $textHelper = new TextHelper($this->container);
+ $html = '<img src=x onerror=alert(0)>';
+ $this->assertEquals($html, $textHelper->implode(', ', array('
')));
+ }
+
public function testMarkdownTaskLink()
{
$textHelper = new TextHelper($this->container);