From e2bb414efe57cce6c591f9b94cd5460581d50c67 Mon Sep 17 00:00:00 2001
From: Sanchit Sharma <38894210+sanchits2003@users.noreply.github.com>
Date: Wed, 12 Jan 2022 23:09:15 +1100
Subject: [PATCH] Fix HTML injection exploit (#682)

Escape html special characters from the $fields array to prevent html injection in the generated pdfs.
---
 app/Traits/GeneratesPdfTrait.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/Traits/GeneratesPdfTrait.php b/app/Traits/GeneratesPdfTrait.php
index fb7763c4b..785a8fdc4 100644
--- a/app/Traits/GeneratesPdfTrait.php
+++ b/app/Traits/GeneratesPdfTrait.php
@@ -157,6 +157,10 @@ public function getFieldsArray()
         foreach ($customerCustomFields as $customField) {
             $fields['{'.$customField->customField->slug.'}'] = $customField->defaultAnswer;
         }
+        
+        foreach ($fields as $key => $field) {
+            $fields[$key] = htmlspecialchars($field, ENT_QUOTES, 'UTF-8');
+        }
 
         return $fields;
     }