From 7cb9b8c786934ebe58d9afa01c3a232ecbbfe8b4 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 30 Jan 2024 20:43:39 +0900
Subject: [PATCH] RVE-2024-1 also apply escape() when updating document

---
 modules/document/document.controller.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php
index 6d2516c8b..75539ded7 100644
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@@ -1049,7 +1049,7 @@ class DocumentController extends Document
 		$obj->title = escape($obj->title, false);
 		if($obj->title == '')
 		{
-			$obj->title = cut_str(strip_tags($obj->content),20,'...');
+			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
 		if($obj->title == '')
 		{