From 9e3af772ac36e714fcb9d590b0f1eda7017d33af Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Tue, 21 Mar 2023 13:04:49 +0000
Subject: [PATCH] purify input of accessibility info text, fixes #2408

Closes #2408

Merge request studip/studip!1605
---
 app/controllers/admin/accessibility_info_text.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/admin/accessibility_info_text.php b/app/controllers/admin/accessibility_info_text.php
index 9a1828bcc73..7d3290b1fb3 100644
--- a/app/controllers/admin/accessibility_info_text.php
+++ b/app/controllers/admin/accessibility_info_text.php
@@ -26,7 +26,12 @@ class Admin_AccessibilityInfoTextController extends AuthenticatedController
     public function edit_action()
     {
         CSRFProtection::verifyUnsafeRequest();
-        Config::get()->store('ACCESSIBILITY_INFO_TEXT', Request::i18n('accessbility_info_text'));
+
+        Config::get()->store(
+            'ACCESSIBILITY_INFO_TEXT',
+            Studip\Markup::purifyHtml(Request::i18n('accessbility_info_text'))
+        );
+
         PageLayout::postSuccess(_('Die Einstellungen wurden gespeichert.'));
         $this->relocate('admin/accessibility_info_text/index');
     }
-- 
GitLab