From f4f5c8fa8854bc6e84a0f91eb59494a0c52b067b Mon Sep 17 00:00:00 2001
From: Kevin Papst <kevinpapst@users.noreply.github.com>
Date: Sun, 13 Dec 2020 03:15:46 +0100
Subject: [PATCH] escape configurable fields (#2191)

---
 templates/base.html.twig | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/base.html.twig b/templates/base.html.twig
index 945056fa3..e491ff95e 100644
--- a/templates/base.html.twig
+++ b/templates/base.html.twig
@@ -1,7 +1,7 @@
 {% extends '@AdminLTE/layout/default-layout.html.twig' %}
 
 {% block body_start %}
-    data-title="{{- get_title() -}}"
+    data-title="{{- get_title()|e('html_attr') -}}"
 {% endblock %}
 
 {% block after_body_start %}
@@ -72,7 +72,7 @@
 
 {% block logo_mini %}
     {% if not kimai_context.branding.mini is empty %}
-        {{ kimai_context.branding.mini|raw }}
+        {{ kimai_context.branding.mini|striptags('<b><i><u><strong><em>')|raw }}
     {% else %}
         <b>K</b>TT
     {% endif %}
@@ -80,7 +80,7 @@
 
 {% block logo_large %}
     {% if not kimai_context.branding.company is empty %}
-        {{ kimai_context.branding.company|raw }}
+        {{ kimai_context.branding.company|striptags('<b><i><u><strong><em>')|raw }}
     {% else %}
         <b>Kimai</b> - Time Tracking
     {% endif %}