From 6ec830ba2cfebfd3dad92a1e829799fcdea61e8c Mon Sep 17 00:00:00 2001
From: Martin Laguna <martin.laguna@processmaker.com>
Date: Tue, 15 Nov 2022 14:07:44 -0400
Subject: [PATCH] Output has been encoded to avoid parsing and executing HTML
 in Categories List.

Observations fixed

More observations fixed

Last observations fixed

Renderer name changed and code style corrected
---
 .../templates/processCategory/processCategoryList.js       | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/workflow/engine/templates/processCategory/processCategoryList.js b/workflow/engine/templates/processCategory/processCategoryList.js
index 528e8daba..ed2feac1b 100644
--- a/workflow/engine/templates/processCategory/processCategoryList.js
+++ b/workflow/engine/templates/processCategory/processCategoryList.js
@@ -181,7 +181,7 @@ Ext.onReady(function(){
     },
     columns: [
               {id:'CATEGORY_UID', dataIndex: 'CATEGORY_UID', hidden:true, hideable:false},
-              {header: _('ID_CATEGORY_NAME'), dataIndex: 'CATEGORY_NAME', width: 500, hidden:false, align:'left'},
+              {header: _('ID_CATEGORY_NAME'), dataIndex: 'CATEGORY_NAME', width: 500, hidden:false, renderer: categoryNameRenderer, align:'left'},
               {header: _('ID_PROCESSES'), dataIndex: 'TOTAL_PROCESSES', width: 100, hidden: false, align: 'center'}
               ]
   });
@@ -282,6 +282,11 @@ Ext.onReady(function(){
   });
 });
 
+//Sanitize output
+categoryNameRenderer = function (value) {
+  return Ext.util.Format.htmlEncode(value);
+};
+
 //Funtion Handles Context Menu Opening
 onMessageContextMenu = function (grid, rowIndex, e) {
   e.stopEvent();