From a7023bce1642ec1fd25fe68f0541407d78f321a0 Mon Sep 17 00:00:00 2001
From: Hivert Quentin <quentin.hivert.fr@gmail.com>
Date: Thu, 22 Aug 2024 15:54:04 +0200
Subject: [PATCH] fix(security): Prevent user to add html script in its
 preferences

---
 UI/PreferencesUI/UIxPreferences.m | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/UI/PreferencesUI/UIxPreferences.m b/UI/PreferencesUI/UIxPreferences.m
index 8e559ef4e..e542b2d94 100644
--- a/UI/PreferencesUI/UIxPreferences.m
+++ b/UI/PreferencesUI/UIxPreferences.m
@@ -1742,9 +1742,12 @@ static NSArray *reminderValues = nil;
 - (id <WOActionResults>) saveAction
 {
   id <WOActionResults> results;
+  NSString *requestStr;
   id o, v;
 
-  o = [[[context request] contentAsString] objectFromJSONString];
+  requestStr = [[context request] contentAsString];
+  requestStr = [requestStr stringWithoutHTMLInjection: NO];
+  o = [requestStr objectFromJSONString];
   results = nil;
 
   // Proceed with data sanitization of the "defaults"