From 8bc067b18b40724ab40b6ddc290320f6a69272c2 Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Tue, 1 Jul 2025 23:22:09 +0100
Subject: [PATCH] Add escaping to user_agent and remote_ip variables for API
 results

---
 app/Http/Transformers/ActionlogsTransformer.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Http/Transformers/ActionlogsTransformer.php b/app/Http/Transformers/ActionlogsTransformer.php
index 702ea123d8..2cc698263f 100644
--- a/app/Http/Transformers/ActionlogsTransformer.php
+++ b/app/Http/Transformers/ActionlogsTransformer.php
@@ -198,8 +198,8 @@ class ActionlogsTransformer
             'note'          => ($actionlog->note) ? Helper::parseEscapedMarkedownInline($actionlog->note): null,
             'signature_file'   => ($actionlog->accept_signature) ? route('log.signature.view', ['filename' => $actionlog->accept_signature ]) : null,
             'log_meta'          => ((isset($clean_meta)) && (is_array($clean_meta))) ? $clean_meta: null,
-            'remote_ip'          => ($actionlog->remote_ip) ??  null,
-            'user_agent'          => ($actionlog->user_agent) ??  null,
+            'remote_ip' => e($actionlog->remote_ip) ?? null,
+            'user_agent' => e($actionlog->user_agent) ?? null,
             'action_source'          => ($actionlog->action_source) ??  null,
             'action_date'   => ($actionlog->action_date) ? Helper::getFormattedDateObject($actionlog->action_date, 'datetime'): Helper::getFormattedDateObject($actionlog->created_at, 'datetime'),
         ];