From c9dd27712ca0357aa49f1e742d9440b14b5d094b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Sun, 14 Jun 2026 11:55:16 +0200
Subject: [PATCH] Fixed stored XSS vulnerability in BOM Validation Service

---
 .../ImportExportSystem/BOMValidationService.php      | 10 +++++-----
 templates/projects/_bom_validation_results.html.twig | 12 ++++++------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/Services/ImportExportSystem/BOMValidationService.php b/src/Services/ImportExportSystem/BOMValidationService.php
index 74f81fe3..9f4cf5b8 100644
--- a/src/Services/ImportExportSystem/BOMValidationService.php
+++ b/src/Services/ImportExportSystem/BOMValidationService.php
@@ -29,13 +29,13 @@ use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
  * Service for validating BOM import data with comprehensive validation rules
- * and user-friendly error messages.
+ * and user-friendly error messages. The results are not HTML safe, and must be escaped before display!
  */
-class BOMValidationService
+readonly class BOMValidationService
 {
     public function __construct(
-        private readonly EntityManagerInterface $entityManager,
-        private readonly TranslatorInterface $translator
+        private EntityManagerInterface $entityManager,
+        private TranslatorInterface $translator
     ) {
     }
 
@@ -473,4 +473,4 @@ class BOMValidationService
                 : 0,
         ];
     }
-}
\ No newline at end of file
+}
diff --git a/templates/projects/_bom_validation_results.html.twig b/templates/projects/_bom_validation_results.html.twig
index 68f1b827..cb92e7bc 100644
--- a/templates/projects/_bom_validation_results.html.twig
+++ b/templates/projects/_bom_validation_results.html.twig
@@ -68,7 +68,7 @@
             <p class="mb-2">{% trans %}project.bom_import.validation.errors.description{% endtrans %}</p>
             <ul class="mb-0">
                 {% for error in validation_result.errors %}
-                    <li>{{ error|raw }}</li>
+                    <li>{{ error }}</li>
                 {% endfor %}
             </ul>
         </div>
@@ -80,7 +80,7 @@
             <p class="mb-2">{% trans %}project.bom_import.validation.warnings.description{% endtrans %}</p>
             <ul class="mb-0">
                 {% for warning in validation_result.warnings %}
-                    <li>{{ warning|raw }}</li>
+                    <li>{{ warning }}</li>
                 {% endfor %}
             </ul>
         </div>
@@ -91,7 +91,7 @@
             <h4><i class="fa-solid fa-info-circle fa-fw"></i> {% trans %}project.bom_import.validation.info.title{% endtrans %}</h4>
             <ul class="mb-0">
                 {% for info in validation_result.info %}
-                    <li>{{ info|raw }}</li>
+                    <li>{{ info }}</li>
                 {% endfor %}
             </ul>
         </div>
@@ -139,21 +139,21 @@
                                         {% if line_result.errors is not empty %}
                                             <div class="text-danger">
                                                 {% for error in line_result.errors %}
-                                                    <div><i class="fa-solid fa-exclamation-triangle fa-fw"></i> {{ error|raw }}</div>
+                                                    <div><i class="fa-solid fa-exclamation-triangle fa-fw"></i> {{ error }}</div>
                                                 {% endfor %}
                                             </div>
                                         {% endif %}
                                         {% if line_result.warnings is not empty %}
                                             <div class="text-warning">
                                                 {% for warning in line_result.warnings %}
-                                                    <div><i class="fa-solid fa-exclamation-circle fa-fw"></i> {{ warning|raw }}</div>
+                                                    <div><i class="fa-solid fa-exclamation-circle fa-fw"></i> {{ warning }}</div>
                                                 {% endfor %}
                                             </div>
                                         {% endif %}
                                         {% if line_result.info is not empty %}
                                             <div class="text-info">
                                                 {% for info in line_result.info %}
-                                                    <div><i class="fa-solid fa-info-circle fa-fw"></i> {{ info|raw }}</div>
+                                                    <div><i class="fa-solid fa-info-circle fa-fw"></i> {{ info }}</div>
                                                 {% endfor %}
                                             </div>
                                         {% endif %}