From e7deb377fa89677d44973b486d26d6a7374233ae Mon Sep 17 00:00:00 2001
From: Fabian Kropfhamer <54098356+fkropfhamer@users.noreply.github.com>
Date: Tue, 10 Sep 2024 10:15:00 +0200
Subject: [PATCH] CVE-2024-45592 fix

(cherry picked from commit 42ba2940d8b99467de0c806ea5655cc1c6882cd1)
---
 src/Resources/views/Audit/helpers/helper.html.twig | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Resources/views/Audit/helpers/helper.html.twig b/src/Resources/views/Audit/helpers/helper.html.twig
index 57a972f5..ab35c61f 100644
--- a/src/Resources/views/Audit/helpers/helper.html.twig
+++ b/src/Resources/views/Audit/helpers/helper.html.twig
@@ -65,12 +65,12 @@
 
     {{ ('audit.audit_details.summary.' ~ action)|trans({
         '%source_link%': path('dh_auditor_show_entity_history', { 'entity': helper.namespaceToParam(entity), 'id': entry.getObjectId() }),
-        '%source%': source_subject,
-        '%source_label%': source_label,
-        '%target_link%': target_link,
-        '%target%': target_subject,
-        '%target_label%': target_label,
-        '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername(),
+        '%source%': source_subject|escape,
+        '%source_label%': source_label|escape,
+        '%target_link%': target_link|escape,
+        '%target%': target_subject|escape,
+        '%target_label%': target_label|escape,
+        '%user%': entry.getUsername() is null ? 'audit.audit_details.summary.unkown_user'|trans(domain='auditor') : entry.getUsername()|escape,
         '%ip%': entry.getIp() is not empty ? ', IP: ' ~ entry.getIp() : '',
     }, domain='auditor')|raw }}
 {% endmacro %}