Prevent XSS in image alt/title

elesh90 · Aug 15, 2019 · 2634a56 · 2634a56
1 parent 1ef6237
commit 2634a56
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/src/Helpers/Image/Thumbnail.php b/src/Helpers/Image/Thumbnail.php
@@ -2,6 +2,8 @@
 
 namespace Bolt\Helpers\Image;
 
+use Bolt\Helpers\Str;
+
 /**
  * Thumbnail helper class.
  *
@@ -73,10 +75,10 @@ public function setFileName($fileName)
     public function getTitle()
     {
         if ($this->title) {
-            return $this->title;
+            return $this->sanitize($this->title);
         }
 
-        return $this->altTitle;
+        return $this->sanitize($this->altTitle);
     }
 
     /**
@@ -101,10 +103,10 @@ public function setTitle($title)
     public function getAltTitle()
     {
         if ($this->altTitle) {
-            return $this->altTitle;
+            return $this->sanitize($this->altTitle);
         }
 
-        return $this->title;
+        return $this->sanitize($this->title);
     }
 
     /**
@@ -222,4 +224,9 @@ public function setScale($scale)
 
         return $this;
     }
+
+    private function sanitize($str)
+    {
+        return Str::makeSafe($str, false, '()[]!@$%&*~`^-_=+{},.~<>:; /?');
+    }
 }