Security: Ticket: Remove possible XSS in attachment file name

chamilo · Feb 12, 2024 · 53275c1 · 53275c1
1 parent a63e03e
commit 53275c1
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/main/inc/lib/TicketManager.php b/main/inc/lib/TicketManager.php
@@ -1277,6 +1277,7 @@ public static function get_ticket_detail_by_id($ticketId)
 
                 $result_attach = Database::query($sql);
                 while ($row2 = Database::fetch_assoc($result_attach)) {
+                    $row2['filename'] = Security::remove_XSS($row2['filename']);
                     $archiveURL = $webPath.'ticket/download.php?ticket_id='.$ticketId.'&id='.$row2['id'];
                     $row2['attachment_link'] = $attach_icon.
                         '&nbsp;<a href="'.$archiveURL.'">'.$row2['filename'].'</a>&nbsp;('.$row2['size'].')';