Internal: Sanitize option text and use Display::tag for generating option elements

AngelFQC · AngelFQC · commit ba58b26ddad8 · 2025-09-08T12:57:08.000-05:00
See advisory GHSA-pxrh-3rcp-h7m6
diff --git a/main/inc/lib/pear/HTML/QuickForm/select.php b/main/inc/lib/pear/HTML/QuickForm/select.php
@@ -419,8 +419,11 @@ public function toHtml()
                 if (!empty($strValues) && in_array($option['attr']['value'], $strValues, true)) {
                     $option['attr']['selected'] = 'selected';
                 }
-                $strHtml .= $tabs . "<option" . $this->_getAttrString($option['attr']) . '>' .
-                    $option['text'] . "</option>";
+                $strHtml .= $tabs.Display::tag(
+                    'option',
+                    Security::remove_XSS($option['text']),
+                    $option['attr']
+                );
             }
             foreach ($this->_optgroups as $optgroup) {
                 $strHtml .= $tabs . '<optgroup label="' . $optgroup['label'] . '">';
@@ -432,7 +435,11 @@ public function toHtml()
                         $option['selected'] = 'selected';
                     }
 
-                    $strHtml .= $tabs . " <option" . $this->_getAttrString($option) . '>' .$text . "</option>";
+                    $strHtml .= $tabs.Display::tag(
+                        'option',
+                        Security::remove_XSS($text),
+                        $option
+                    );
                 }
                 $strHtml .= "</optgroup>";
             }

Original file line number	Diff line number	Diff line change
`@@ -419,8 +419,11 @@ public function toHtml()`
`419`	`419`	`if (!empty($strValues) && in_array($option['attr']['value'], $strValues, true)) {`
`420`	`420`	`$option['attr']['selected'] = 'selected';`
`421`	`421`	`}`
`422`		`- $strHtml .= $tabs . "<option" . $this->_getAttrString($option['attr']) . '>' .`
`423`		`- $option['text'] . "</option>";`
	`422`	`+ $strHtml .= $tabs.Display::tag(`
	`423`	`+ 'option',`
	`424`	`+ Security::remove_XSS($option['text']),`
	`425`	`+ $option['attr']`
	`426`	`+ );`
`424`	`427`	`}`
`425`	`428`	`foreach ($this->_optgroups as $optgroup) {`
`426`	`429`	`$strHtml .= $tabs . '<optgroup label="' . $optgroup['label'] . '">';`
`@@ -432,7 +435,11 @@ public function toHtml()`
`432`	`435`	`$option['selected'] = 'selected';`
`433`	`436`	`}`
`434`	`437`
`435`		`- $strHtml .= $tabs . " <option" . $this->_getAttrString($option) . '>' .$text . "</option>";`
	`438`	`+ $strHtml .= $tabs.Display::tag(`
	`439`	`+ 'option',`
	`440`	`+ Security::remove_XSS($text),`
	`441`	`+ $option`
	`442`	`+ );`
`436`	`443`	`}`
`437`	`444`	`$strHtml .= "</optgroup>";`
`438`	`445`	`}`