From 11b41ee66a68ae55b9c0e011491d6c3744b4e2f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 14 Jun 2026 12:08:25 +0200
Subject: [PATCH] Hardened against potential XSS injection in table columns

---
 src/DataTables/Column/EntityColumn.php   | 2 +-
 src/DataTables/Column/IconLinkColumn.php | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/DataTables/Column/EntityColumn.php b/src/DataTables/Column/EntityColumn.php
index 54ae3fb3..b5d71a08 100644
--- a/src/DataTables/Column/EntityColumn.php
+++ b/src/DataTables/Column/EntityColumn.php
@@ -78,7 +78,7 @@ class EntityColumn extends AbstractColumn
                     );
                 }
 
-                return sprintf('<i>%s</i>', $value);
+                return sprintf('<i>%s</i>', htmlspecialchars($value));
             }
 
             return '';
diff --git a/src/DataTables/Column/IconLinkColumn.php b/src/DataTables/Column/IconLinkColumn.php
index 6704cb4a..47b35d82 100644
--- a/src/DataTables/Column/IconLinkColumn.php
+++ b/src/DataTables/Column/IconLinkColumn.php
@@ -87,9 +87,9 @@ class IconLinkColumn extends AbstractColumn
             return sprintf(
                 '<a class="btn btn-primary btn-sm %s" href="%s" title="%s"><i class="%s"></i></a>',
                 $disabled ? 'disabled' : '',
-                $href,
-                $title,
-                $icon
+                htmlspecialchars($href),
+                htmlspecialchars($title ?? ''),
+                htmlspecialchars($icon ?? '')
             );
         }