diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3de326de..a29f2733 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,6 @@
## Changelog
+* 5.2.5 - 2026-03-30 - Added escaping for report_matched value
* 5.2.4 - 2026-03-02 - Updated API documentation
* 5.2.3 - 2026-02-05 - Alerts now get deleted when a user's site access is revoked
* 5.2.2 - 2026-01-19 - Added tooltips in add/edit alerts, manage alerts & in the inline text for the delivery method
diff --git a/plugin.json b/plugin.json
index 56505926..bcc9ad87 100644
--- a/plugin.json
+++ b/plugin.json
@@ -1,7 +1,7 @@
{
"name": "CustomAlerts",
"description": "Create custom Alerts to be notified of important changes on your website or app! ",
- "version": "5.2.4",
+ "version": "5.2.5",
"require": {
"matomo": ">=5.0.0-b1,<6.0.0-b1"
},
diff --git a/templates/htmlTriggeredAlerts.twig b/templates/htmlTriggeredAlerts.twig
index b63a8d63..9152e659 100755
--- a/templates/htmlTriggeredAlerts.twig
+++ b/templates/htmlTriggeredAlerts.twig
@@ -29,7 +29,7 @@
{% endif %}
| {{ alert.reportName|default(alert.report)|rawSafeDecoded }} |
{% if hasConditions %}
- {{ alert.dimension|default('') }} {{ alert.reportConditionName }} {% if alert.report_matched %}'{{ alert.report_matched|truncate(100)|raw }}'{% endif %} |
+ {{ alert.dimension|default('') }} {{ alert.reportConditionName }} {% if alert.report_matched %}'{{ alert.report_matched|truncate(100)|rawSafeDecoded }}'{% endif %} |
{% endif %}
{{ alert.reportMetric }} {{ alertsMacro.metricChangeDescription(alert) }} |
diff --git a/tests/Integration/ControllerTest.php b/tests/Integration/ControllerTest.php
index b4409d0d..9c50e633 100644
--- a/tests/Integration/ControllerTest.php
+++ b/tests/Integration/ControllerTest.php
@@ -228,6 +228,20 @@ public function test_formatAlertsNoConditions_asHtml()
$this->assertEquals($expected, $rendered, "Got following HTML response: " . var_export($rendered, true));
}
+ public function test_formatAlerts_asHtml_shouldEscapeReportMatched()
+ {
+ $payload = '
';
+ $alerts = array(
+ $this->buildAlert(1, 'MyName1', 'week', 1, 'Piwik test', 'superUserLogin', 'nb_visits', 'decrease_more_than', 5000, 'MultiSites_getOne', 'matches_exactly', $payload)
+ );
+
+ $rendered = $this->controller->formatAlerts($alerts, 'html');
+
+ $this->assertStringContainsString("Website is '<img src=x onerror=alert(1)>'", $rendered);
+ $this->assertStringNotContainsString("'{$payload}'", $rendered);
+ $this->assertStringNotContainsString("", $rendered);
+ }
+
public function test_enrichTriggeredAlerts_shouldEnrichAlerts_IfReportExistsAndMetricIsValid()
{
$timestamp = 1389824417;