CoverPage: Escape color value

nilmerg · nilmerg · commit 39f4661b3b8c · 2025-03-26T10:01:54.000+01:00
Apparently, text/html and text/css are equal.
Not sure who to blame, me, the browser or standards…
diff --git a/library/Reporting/Web/Widget/CoverPage.php b/library/Reporting/Web/Widget/CoverPage.php
@@ -157,7 +157,7 @@ protected function assemble()
         if ($this->hasColor()) {
             $coverPageLogo = (new StyleWithNonce())
                 ->setModule('reporting')
-                ->addFor($content, ['color' => $this->getColor()]);
+                ->addFor($content, ['color' => Html::escape($this->getColor())]);
 
             $content->addHtml($coverPageLogo);
         }

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ protected function assemble()`
`157`	`157`	`if ($this->hasColor()) {`
`158`	`158`	`$coverPageLogo = (new StyleWithNonce())`
`159`	`159`	`->setModule('reporting')`
`160`		`- ->addFor($content, ['color' => $this->getColor()]);`
	`160`	`+ ->addFor($content, ['color' => Html::escape($this->getColor())]);`
`161`	`161`
`162`	`162`	`$content->addHtml($coverPageLogo);`
`163`	`163`	`}`