From 2ff447f46dbcc81d60fc4ca366f11ee3f43d5155 Mon Sep 17 00:00:00 2001
From: root <you@example.com>
Date: Thu, 9 May 2024 17:54:46 +0530
Subject: [PATCH] Fixes : Xss payload in Users last name and first name issue
 is fixed

---
 include/utils/VtlibUtils.php | 7 +++++++
 modules/Users/Users.php      | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 0922f46f9..109e01ca0 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -530,6 +530,13 @@ function vtlib_tosingular($text) {
 	return $text;
 }
 
+/**
+ * Helps to remove HTML tags and attributes.
+ */
+function vtlib_strip_tagattrs($str) {
+    return preg_replace('/=/', '-', strip_tags($str));
+}
+
 /**
  * Get picklist values that is accessible by all roles.
  */
diff --git a/modules/Users/Users.php b/modules/Users/Users.php
index b0ad5bd58..4c1559fab 100755
--- a/modules/Users/Users.php
+++ b/modules/Users/Users.php
@@ -779,7 +779,7 @@ class Users extends CRMEntity {
 			}
 			$userlabel = trim(decode_html($userlabel));
 			
-			$this->column_fields['userlabel'] = strip_tags($userlabel);
+			$this->column_fields['userlabel'] = vtlib_strip_tagattrs($userlabel);
 		}
 
 		if($insertion_mode == 'edit') {
-- 
GitLab