diff --git a/src/Navigation/Notifications/Entity/Notify.php b/src/Navigation/Notifications/Entity/Notify.php
index b7a007a2f..45f450b1d 100644
--- a/src/Navigation/Notifications/Entity/Notify.php
+++ b/src/Navigation/Notifications/Entity/Notify.php
@@ -134,6 +134,6 @@ class Notify extends BaseEntity
*/
public static function formatMessage(string $name, string $message): string
{
- return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', $message);
+ return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', htmlspecialchars($message));
}
}
diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php
new file mode 100644
index 000000000..fac8e4829
--- /dev/null
+++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php
@@ -0,0 +1,47 @@
+.
+ *
+ */
+
+namespace Friendica\Test\src\Navigation\Notifications\Entity;
+
+use Friendica\Navigation\Notifications\Entity\Notify;
+use Friendica\Test\FixtureTest;
+
+class NotifyTest extends FixtureTest
+{
+ public function dataFormatNotify(): array
+ {
+ return [
+ 'xss-notify' => [
+ 'name' => 'Whiskers',
+ 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ',
+ 'assertion' => 'Whiskers commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>',
+ ],
+ ];
+ }
+
+ /**
+ * @dataProvider dataFormatNotify
+ */
+ public function testFormatNotify(string $name, string $message, string $assertion)
+ {
+ self::assertEquals($assertion, Notify::formatMessage($name, $message));
+ }
+}