Enable HTML escaping of `->errorMessage` in packageUpdateServerList.tpl

This is not exploitable for a full-blown XSS attack, as any HTML tags are
stripped. Nonetheless the `"` character can cause issues, as the value is also
displayed in an HTML attribute and the error message contains uncontrolled
content.

diff --git a/wcfsetup/install/files/acp/templates/packageUpdateServerList.tpl b/wcfsetup/install/files/acp/templates/packageUpdateServerList.tpl
index dcd60c2baa2d17d7588b0b4a9687499a8fd7e0c2..8bc0d223e61aafd652a1e8fd22c6899cabcfeb5c 100644 (file)
--- a/wcfsetup/install/files/acp/templates/packageUpdateServerList.tpl
+++ b/wcfsetup/install/files/acp/templates/packageUpdateServerList.tpl
@@ -57,7 +57,7 @@
                                                <td class="columnTitle columnServerURL"><a href="{link controller='PackageUpdateServerEdit' id=$updateServer->packageUpdateServerID}{/link}" title="{lang}wcf.acp.updateServer.edit{/lang}">{$updateServer->serverURL}</a></td>
                                                <td class="columnDigits columnPackages">{#$updateServer->packages}</td>
                                                <td class="columnStatus"><span class="badge{if $updateServer->status == 'online'} green{else} red{/if}">{@$updateServer->status}</span></td>
-                                               <td class="columnText columnErrorText" title="{@$updateServer->errorMessage}">{@$updateServer->errorMessage|truncate:"30"}</td>
+                                               <td class="columnText columnErrorText" title="{$updateServer->errorMessage}">{$updateServer->errorMessage|truncate:"30"}</td>
                                                <td class="columnDate columnTimestamp">{if $updateServer->lastUpdateTime}{@$updateServer->lastUpdateTime|time}{/if}</td>
                                                
                                                {event name='columns'}