From 6b4d30090bf70690b2f29f11dddb5bbeedba22b1 Mon Sep 17 00:00:00 2001
From: Stefan Giehl <stefan@matomo.org>
Date: Thu, 23 Sep 2021 22:05:33 +0200
Subject: Fix escaping of html attribute (#18040)

---
 plugins/Diagnostics/Diagnostic/ForceSSLCheck.php  | 8 ++++----
 plugins/Diagnostics/templates/force_ssl_link.twig | 1 +
 2 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 plugins/Diagnostics/templates/force_ssl_link.twig

(limited to 'plugins/Diagnostics')

diff --git a/plugins/Diagnostics/Diagnostic/ForceSSLCheck.php b/plugins/Diagnostics/Diagnostic/ForceSSLCheck.php
index 1cbb3c2b98..f85fa15067 100644
--- a/plugins/Diagnostics/Diagnostic/ForceSSLCheck.php
+++ b/plugins/Diagnostics/Diagnostic/ForceSSLCheck.php
@@ -11,6 +11,7 @@ use Piwik\Config;
 use Piwik\ProxyHttp;
 use Piwik\Translation\Translator;
 use Piwik\Url;
+use Piwik\View;
 
 /**
  * Check that Matomo is configured to force SSL.
@@ -38,10 +39,9 @@ class ForceSSLCheck implements Diagnostic
                 return [];
             }
 
-            $message = $this->translator->translate('General_UseSSLInstall', [
-                '<a href="https://'. Url::getCurrentHost() . Url::getCurrentScriptName(false) . Url::getCurrentQueryString() .'">',
-                '</a>'
-            ]);
+            $view = new View('@Diagnostics/force_ssl_link');
+            $view->link = 'https://' . Url::getCurrentHost() . Url::getCurrentScriptName(false) . Url::getCurrentQueryString();
+            $message = $view->render();
             return [DiagnosticResult::singleResult($label, DiagnosticResult::STATUS_WARNING, $message)];
         }
 
diff --git a/plugins/Diagnostics/templates/force_ssl_link.twig b/plugins/Diagnostics/templates/force_ssl_link.twig
new file mode 100644
index 0000000000..8d7c63a8b4
--- /dev/null
+++ b/plugins/Diagnostics/templates/force_ssl_link.twig
@@ -0,0 +1 @@
+{{ 'General_UseSSLInstall'|translate('<a href="' ~ link|escape('html_attr') ~ '">', '</a>')|raw }}
\ No newline at end of file
-- 
cgit v1.2.3