kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2026-06-09 03:44:57 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #12271 from alanturing881/fix/stored-xss-ale-piggy-name

Browse Source 
Fix stored XSS in audit log view via piggy bank name (ale.twig)
This commit is contained in:
James Cole
2026-05-20 20:16:16 +02:00
committed by GitHub
parent bebd3b189e fa6c123595
commit b70ed32952
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/pr-reply-no-disclosure.yml vendored
View File

@@ -18,6 +18,12 @@ jobs:
steps:
- run: |
BODY=$(gh pr view $NUMBER --json body)
AUTHOR=$(gh pr view $NUMBER --json author)
if [[ $BODY == *"app/dependabot"* ]]; then
echo "Is dependabot, stop"
exit 0
fi
# I used AI assistance for:
# - [ ] Code generation (e.g., when writing an implementation or fixing a bug)

4
resources/views/list/ale.twig
View File

@@ -104,10 +104,10 @@
<code>{{ logEntry.after }}</code>
{% endif %}
{% if 'add_to_piggy' == logEntry.action %}
{{ trans('firefly.ale_action_log_add', {amount: formatAmountBySymbol(logEntry.after.amount, logEntry.after.currency_symbol, logEntry.after.decimal_places, true), name: logEntry.after.piggy})|raw }}
{{ trans('firefly.ale_action_log_add', {amount: formatAmountBySymbol(logEntry.after.amount, logEntry.after.currency_symbol, logEntry.after.decimal_places, true), name: logEntry.after.piggy|e})|raw }}
{% endif %}
{% if 'remove_from_piggy' == logEntry.action %}
{{ trans('firefly.ale_action_log_remove', {amount: formatAmountBySymbol(logEntry.after.amount, logEntry.after.currency_symbol, logEntry.after.decimal_places, true), name: logEntry.after.piggy})|raw }}
{{ trans('firefly.ale_action_log_remove', {amount: formatAmountBySymbol(logEntry.after.amount, logEntry.after.currency_symbol, logEntry.after.decimal_places, true), name: logEntry.after.piggy|e})|raw }}
{% endif %}
</td>