From f984e385c89f53a4eeaf06642da856b5ed304688 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Wed, 2 Aug 2023 16:59:08 +0200
Subject: [PATCH] Escape HTML in system messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Thanks to Laura Pîrcălăboiu for the report
---
 src/Module/Notifications/Ping.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Module/Notifications/Ping.php b/src/Module/Notifications/Ping.php
index 120035d557..e54bd577b2 100644
--- a/src/Module/Notifications/Ping.php
+++ b/src/Module/Notifications/Ping.php
@@ -52,6 +52,7 @@ use Friendica\Network\HTTPException;
 use Friendica\Protocol\Activity;
 use Friendica\Util\DateTimeFormat;
 use Friendica\Util\Profiler;
+use Friendica\Util\Strings;
 use GuzzleHttp\Psr7\Uri;
 use Psr\Log\LoggerInterface;
 
@@ -296,8 +297,8 @@ class Ping extends BaseModule
 		$data['notifications'] = $navNotifications;
 
 		$data['sysmsgs'] = [
-			'notice' => $this->systemMessages->flushNotices(),
-			'info'   => $this->systemMessages->flushInfos(),
+			'notice' => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushNotices()),
+			'info'   => array_map([Strings::class, 'escapeHtml'], $this->systemMessages->flushInfos()),
 		];
 
 		if (isset($_GET['callback'])) {