From 0e79413a5bb3468cd2f5cb0594232a1557f792fc Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Sun, 11 Apr 2021 08:08:41 -0500
Subject: [PATCH] escape user editable field (#12739)

---
 includes/html/pages/api-access.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/html/pages/api-access.inc.php b/includes/html/pages/api-access.inc.php
index b3ebbd7483..5647f59992 100644
--- a/includes/html/pages/api-access.inc.php
+++ b/includes/html/pages/api-access.inc.php
@@ -151,7 +151,7 @@ if (Auth::user()->hasGlobalAdmin()) {
           <td>' . $user_details->auth_type . '</td>
           <td>' . $api->token_hash . '</td>
           <td><button class="btn btn-info btn-xs" data-toggle="modal" data-target="#display-qr" data-token_hash="' . $api->token_hash . '"><i class="fa fa-qrcode" ></i></button></td>
-          <td>' . $api->description . '</td>
+          <td>' . htmlspecialchars($api->description) . '</td>
           <td><input type="checkbox" name="token-status" data-token_id="' . $api->id . '" data-off-text="No" data-on-text="Yes" data-on-color="danger" ' . $api_disabled . ' data-size="mini"></td>
           <td><button type="button" class="btn btn-danger btn-xs" id="' . $api->id . '" data-token_id="' . $api->id . '" data-toggle="modal" data-target="#confirm-delete">Delete</button></td>
         </tr>