From d60c2ff4329e3759bd5633f6a404fd50e17bb658 Mon Sep 17 00:00:00 2001
From: Niklas Bittner <niklas@bittner.tech>
Date: Fri, 16 Feb 2024 00:51:00 +0100
Subject: [PATCH] fix: stored xss with wish url

---
 src/classes/wishthis/Wish.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/classes/wishthis/Wish.php b/src/classes/wishthis/Wish.php
index 2fad3434..86c44dc9 100644
--- a/src/classes/wishthis/Wish.php
+++ b/src/classes/wishthis/Wish.php
@@ -208,7 +208,7 @@ class Wish
         $this->title          = stripslashes($wishData['title']       ?? '');
         $this->description    = stripslashes($wishData['description'] ?? '');
         $this->image          = $wishData['image'] ?? '';
-        $this->url            = $wishData['url'] ?? '';
+        $this->url            = htmlspecialchars($wishData['url'] ?? '', ENT_QUOTES);
         $this->priority       = $wishData['priority'];
         $this->status         = $wishData['status'];
         $this->is_purchasable = $wishData['is_purchasable'];