diff --git a/src/Navigation/Notifications/Entity/Notify.php b/src/Navigation/Notifications/Entity/Notify.php index b7a007a2f..45f450b1d 100644 --- a/src/Navigation/Notifications/Entity/Notify.php +++ b/src/Navigation/Notifications/Entity/Notify.php @@ -134,6 +134,6 @@ class Notify extends BaseEntity */ public static function formatMessage(string $name, string $message): string { - return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', $message); + return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', htmlspecialchars($message)); } } diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php new file mode 100644 index 000000000..fac8e4829 --- /dev/null +++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php @@ -0,0 +1,47 @@ +. + * + */ + +namespace Friendica\Test\src\Navigation\Notifications\Entity; + +use Friendica\Navigation\Notifications\Entity\Notify; +use Friendica\Test\FixtureTest; + +class NotifyTest extends FixtureTest +{ + public function dataFormatNotify(): array + { + return [ + 'xss-notify' => [ + 'name' => 'Whiskers', + 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ', + 'assertion' => 'Whiskers commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>', + ], + ]; + } + + /** + * @dataProvider dataFormatNotify + */ + public function testFormatNotify(string $name, string $message, string $assertion) + { + self::assertEquals($assertion, Notify::formatMessage($name, $message)); + } +}