From 2b0dd8851c254e1f5aabf00ac01a4f436e836c85 Mon Sep 17 00:00:00 2001
From: spencerrlongg <spencer@spencerlong.com>
Date: Fri, 26 Jan 2024 11:47:09 -0600
Subject: [PATCH] probably needs more testing... but should work

---
 app/Http/Controllers/CustomFieldsController.php               | 2 +-
 resources/views/models/custom_fields_form.blade.php           | 2 +-
 resources/views/models/custom_fields_form_bulk_edit.blade.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/CustomFieldsController.php b/app/Http/Controllers/CustomFieldsController.php
index ffe5eceec2..b109c65f78 100644
--- a/app/Http/Controllers/CustomFieldsController.php
+++ b/app/Http/Controllers/CustomFieldsController.php
@@ -103,7 +103,7 @@ class CustomFieldsController extends Controller
             "name" => trim($request->get("name")),
             "element" => $request->get("element"),
             "help_text" => $request->get("help_text"),
-            "field_values" => $request->get("field_values"),
+            "field_values" => e($request->get("field_values")),
             "field_encrypted" => $request->get("field_encrypted", 0),
             "show_in_email" => $show_in_email,
             "is_unique" => $request->get("is_unique", 0),
diff --git a/resources/views/models/custom_fields_form.blade.php b/resources/views/models/custom_fields_form.blade.php
index 90985ce77f..bae98373e4 100644
--- a/resources/views/models/custom_fields_form.blade.php
+++ b/resources/views/models/custom_fields_form.blade.php
@@ -9,7 +9,7 @@
               <!-- Listbox -->
               @if ($field->element=='listbox')
                    {{ Form::select($field->db_column_name(), $field->formatFieldValuesAsArray(),
-                  Request::old($field->db_column_name(),(isset($item) ? Helper::gracefulDecrypt($field, htmlentities($item->{$field->db_column_name()})) : $field->defaultValue($model->id))), ['class'=>'format select2 form-control']) }}
+                  Request::old($field->db_column_name(),(isset($item) ? Helper::gracefulDecrypt($field, htmlspecialchars($item->{$field->db_column_name()}, ENT_QUOTES)) : $field->defaultValue($model->id))), ['class'=>'format select2 form-control']) }}
 
               @elseif ($field->element=='textarea')
                   <textarea class="col-md-6 form-control" id="{{ $field->db_column_name() }}" name="{{ $field->db_column_name() }}">{{ Request::old($field->db_column_name(),(isset($item) ? Helper::gracefulDecrypt($field, $item->{$field->db_column_name()}) : $field->defaultValue($model->id))) }}</textarea>
diff --git a/resources/views/models/custom_fields_form_bulk_edit.blade.php b/resources/views/models/custom_fields_form_bulk_edit.blade.php
index f01815d5e3..f30c60d331 100644
--- a/resources/views/models/custom_fields_form_bulk_edit.blade.php
+++ b/resources/views/models/custom_fields_form_bulk_edit.blade.php
@@ -25,7 +25,7 @@
               <!-- Listbox -->
               @if ($field->element=='listbox')
                   {{ Form::select($field->db_column_name(), $field->formatFieldValuesAsArray(),
-                  Request::old($field->db_column_name(),(isset($item) ? Helper::gracefulDecrypt($field, htmlentities($item->{$field->db_column_name()})) : $field->defaultValue($model->id))), ['class'=>'format select2 form-control']) }}
+                  Request::old($field->db_column_name(),(isset($item) ? Helper::gracefulDecrypt($field, htmlspecialchars($item->{$field->db_column_name()}, ENT_QUOTES)) : $field->defaultValue($model->id))), ['class'=>'format select2 form-control']) }}
 
               @elseif ($field->element=='textarea')
                 @if($field->is_unique)