From 9709592b7cde613ca6316ed824e3981c07b55b89 Mon Sep 17 00:00:00 2001
From: Thomas Hochstein <thh@inter.net>
Date: Fri, 20 Mar 2020 19:05:31 +0100
Subject: [PATCH] Escape version string in update notifier.

Fixes #674.

Backported from master branch.

Signed-off-by: Thomas Hochstein <thh@inter.net>
---
 docs/NEWS                             | 2 ++
 templates/2k11/admin/overview.inc.tpl | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/NEWS b/docs/NEWS
index 435d458d..0c8fd815 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -21,6 +21,8 @@ Version 2.3.3-beta1 ()
 
    * Fix: Add valid HTTP referrer when trying to delete a
 
+   * Fix: Escape version string in update notifier to avoid XSS.
+
    * Fix: Prevent renaming a ML object into an existing file,
           resulting in deletion of both from disk and database.
 
diff --git a/templates/2k11/admin/overview.inc.tpl b/templates/2k11/admin/overview.inc.tpl
index 292a274e..a818b8d3 100644
--- a/templates/2k11/admin/overview.inc.tpl
+++ b/templates/2k11/admin/overview.inc.tpl
@@ -30,7 +30,7 @@
             <section id="dashboard_update">
                 <h3>{$CONST.UPDATE_NOTIFICATION}</h3>
 
-                <span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion}</span>
+                <span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion|escape}</span>
                 {$updateButton}
             </section>
             <hr class="separator">