VP-2180: Prevent XSS in paginator

VirtoCommerce · May 13, 2020 · 1df9a99 · 1df9a99
1 parent 3d021e3
commit 1df9a99
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/snippets/pagination-custom.liquid b/snippets/pagination-custom.liquid
@@ -1,26 +1,26 @@
 <ul class="pagination-custom">
     {% if paginator.previous %}
-        <li><a href="{{ paginator.previous.url }}" title="{{ paginator.previous.title }}">&larr;</a></li>
+        <li><a href="{{ paginator.previous.url | escape }}" title="{{ paginator.previous.title | escape }}">&larr;</a></li>
     {% else %}
         <li class="disabled"><span>&larr;</span></li>
     {% endif %}
 
     {% for part in paginator.parts %}
         {% if part.is_link %}
             <li>
-                <a href="{{ part.url }}" title="">{{ part.title }}</a>
+                <a href="{{ part.url  | escape }}" title="">{{ part.title | escape }}</a>
             </li>
         {% else %}
             {% if part.title == paginator.current_page %}
-                <li class="active"><span>{{ part.title }}</span></li>
+                <li class="active"><span>{{ part.title | escape }}</span></li>
             {% else %}
-                <li><span>{{ part.title }}</span></li>
+                <li><span>{{ part.title | escape }}</span></li>
             {% endif %}
         {% endif %}
     {% endfor %}
 
     {% if paginator.next %}
-        <li><a href="{{ paginator.next.url }}" title="{{ paginator.next.title }}">&rarr;</a></li>
+        <li><a href="{{ paginator.next.url | escape }}" title="{{ paginator.next.title | escape }}">&rarr;</a></li>
     {% else %}
         <li class="disabled"><span>&rarr;</span></li>
     {% endif %}