Add escaping to field labels

classes/components/forms/announcement/PKPAnnouncementForm.php

@@ -75,7 +75,7 @@ public function __construct($action, $locales, $announcementContext)
         foreach ($announcementTypes as $announcementType) {
             $announcementOptions[] = [
                 'value' => (int) $announcementType->getId(),
-                'label' => $announcementType->getLocalizedTypeName(),
+                'label' => htmlspecialchars($announcementType->getLocalizedTypeName()),
             ];
         }
         if (!empty($announcementOptions)) {

classes/components/forms/context/PKPAppearanceSetupForm.php

@@ -58,7 +58,7 @@ public function __construct($action, $locales, $context, $baseUrl, $temporaryFil
             if (isset($plugins[$plugin])) {
                 $enabledOptions[] = [
                     'value' => $plugin,
-                    'label' => $plugins[$plugin]->getDisplayName(),
+                    'label' => htmlspecialchars($plugins[$plugin]->getDisplayName()),
                 ];
             }
         }
@@ -67,7 +67,7 @@ public function __construct($action, $locales, $context, $baseUrl, $temporaryFil
             if (!in_array($pluginName, $currentBlocks)) {
                 $disabledOptions[] = [
                     'value' => $pluginName,
-                    'label' => $plugin->getDisplayName(),
+                    'label' => htmlspecialchars($plugin->getDisplayName()),
                 ];
             }
         }

classes/components/forms/context/PKPPaymentSettingsForm.php

@@ -47,7 +47,7 @@ public function __construct($action, $locales, $context)
         foreach (Locale::getCurrencies() as $currency) {
             $currencies[] = [
                 'value' => $currency->getLetterCode(),
-                'label' => $currency->getLocalName(),
+                'label' => htmlspecialchars($currency->getLocalName()),
             ];
         }
 
@@ -57,7 +57,7 @@ public function __construct($action, $locales, $context)
         foreach ($paymentPlugins as $plugin) {
             $pluginList[] = [
                 'value' => $plugin->getName(),
-                'label' => $plugin->getDisplayName(),
+                'label' => htmlspecialchars($plugin->getDisplayName()),
             ];
         }
 

classes/components/forms/context/PKPThemeForm.php

@@ -67,7 +67,7 @@ public function __construct($action, $locales, $context = null)
         foreach ($plugins as $plugin) {
             $themes[] = [
                 'value' => $plugin->getDirName(),
-                'label' => $plugin->getDisplayName(),
+                'label' => htmlspecialchars($plugin->getDisplayName()),
             ];
         }
 

classes/components/forms/site/PKPSiteAppearanceForm.php

@@ -51,7 +51,7 @@ public function __construct($action, $locales, $site, $baseUrl, $temporaryFileAp
         foreach ($plugins as $pluginName => $plugin) {
             $sidebarOptions[] = [
                 'value' => $pluginName,
-                'label' => $plugin->getDisplayName(),
+                'label' => htmlspecialchars($plugin->getDisplayName()),
             ];
         }
 

classes/components/forms/submission/PKPSubmissionFileForm.php

@@ -45,7 +45,7 @@ public function __construct($action, $genres)
             'options' => array_map(function ($genre) {
                 return [
                     'value' => (int) $genre->getId(),
-                    'label' => $genre->getLocalizedName(),
+                    'label' => htmlspecialchars($genre->getLocalizedName()),
                 ];
             }, $genres),
             'value' => 0,