From f9cb6d3520dd0b216a11829602092eaa6eeb6779 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 10 Jan 2025 08:54:06 +0100
Subject: HTML escape system info regression from
 https://github.com/FreshRSS/FreshRSS/pull/7161 Some of the echo'ed
 information could have some special characters such as `<&>`, in particular
 `HTTP_USER_AGENT`

---
 app/views/index/about.phtml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/views/index/about.phtml b/app/views/index/about.phtml
index 3c2ccb054..70f9b6641 100644
--- a/app/views/index/about.phtml
+++ b/app/views/index/about.phtml
@@ -23,20 +23,20 @@
 			<summary><?= _t('index.about.bug_reports.environment_information') ?></summary>
 			<dl>
 				<dt><?= _t('index.about.bug_reports.environment_information.version_frss') ?></dt>
-				<dd><?= FRESHRSS_VERSION ?></dd>
+				<dd><?= htmlspecialchars(FRESHRSS_VERSION, ENT_NOQUOTES, 'UTF-8') ?></dd>
 				<dt><?= _t('index.about.bug_reports.environment_information.version_php') ?></dt>
-				<dd><?= PHP_VERSION ?></dd>
+				<dd><?= htmlspecialchars(PHP_VERSION, ENT_NOQUOTES, 'UTF-8') ?></dd>
 				<dt><?= _t('index.about.bug_reports.environment_information.database') ?></dt>
-				<dd><?= FreshRSS_Context::systemConf()->db['type'] ?></dd>
+				<dd><?= htmlspecialchars(FreshRSS_Context::systemConf()->db['type'], ENT_NOQUOTES, 'UTF-8') ?></dd>
 				<?php $databaseDAO = FreshRSS_Factory::createDatabaseDAO(); ?>
-				<dd><?= $databaseDAO->version() ?></dd>
+				<dd><?= htmlspecialchars($databaseDAO->version(), ENT_NOQUOTES, 'UTF-8') ?></dd>
 				<dt><?= _t('index.about.bug_reports.environment_information.server_software') ?></dt>
 				<dd>
 					<?= is_string($_SERVER['SERVER_SOFTWARE'] ?? null) ? $_SERVER['SERVER_SOFTWARE'] : '' ?><br />
-					<?= php_uname('s') . ' ' . php_uname('r') . ' ' . php_uname('v') . ' ' . php_uname('m') ?>
+					<?= htmlspecialchars(php_uname('s') . ' ' . php_uname('r') . ' ' . php_uname('v') . ' ' . php_uname('m'), ENT_NOQUOTES, 'UTF-8') ?>
 				</dd>
 				<dt><?= _t('index.about.bug_reports.environment_information.browser') ?></dt>
-				<dd><?= is_string($_SERVER['HTTP_USER_AGENT'] ?? null) ? $_SERVER['HTTP_USER_AGENT'] : '' ?></dd>
+				<dd><?= is_string($_SERVER['HTTP_USER_AGENT'] ?? null) ? htmlspecialchars($_SERVER['HTTP_USER_AGENT'], ENT_NOQUOTES, 'UTF-8') : '' ?></dd>
 			</dl>
 		</details>
 	<?php } ?>
-- 
cgit v1.2.3