From 31249d932d93c4baed1ffbfcad87bdad814aee04 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 30 May 2020 08:05:37 +0200
Subject: [PATCH] Security: Fix couple of XSS issues in Installer (#7406)

---
 CHANGELOG          | 1 +
 installer/test.php | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f65e6573d..1652640bd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -34,6 +34,7 @@ CHANGELOG Roundcube Webmail
 - Fix error when user-configured skin does not exist anymore (#7271)
 - Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
 - Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
+- Security: Fix couple of XSS issues in Installer (#7406)
 
 RELEASE 1.4.4
 -------------
diff --git a/installer/test.php b/installer/test.php
index c71f0350f..9e28afb03 100644
--- a/installer/test.php
+++ b/installer/test.php
@@ -139,7 +139,7 @@ if ($RCI->configured) {
         else {
             $RCI->fail('DSN (write)', $db_error_msg);
             echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
-            echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
+            echo 'DSN: ' . rcube::Q($RCI->config['db_dsnw']) . '</p>';
         }
     }
     else {
@@ -297,15 +297,15 @@ if ($pass == '%p') {
   </tr>
   <tr>
     <td><label for="smtp_port">Port</label></td>
-    <td><?php echo $RCI->getprop('smtp_port'); ?></td>
+    <td><?php echo rcube::Q($RCI->getprop('smtp_port')); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_user">Username</label></td>
-    <td><?php echo $user; ?></td>
+    <td><?php echo rcube::Q($user); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_pass">Password</label></td>
-    <td><?php echo $pass; ?></td>
+    <td><?php echo rcube::Q($pass); ?></td>
   </tr>
 </tbody>
 </table>