From a3650bb8994efdd3bac0ced8eb9cf19ad5a47546 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 20 Jan 2024 00:39:19 +0900
Subject: [PATCH] RVE-2024-1 missing escape of autogenerated document title

---
 modules/document/document.controller.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php
index 79595deb0..6d2516c8b 100644
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@@ -750,7 +750,7 @@ class DocumentController extends Document
 		$obj->title = escape($obj->title, false);
 		if($obj->title == '')
 		{
-			$obj->title = cut_str(trim(strip_tags(nl2br($obj->content))),20,'...');
+			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
 		if($obj->title == '')
 		{