Fix #2941

app/Http/Controllers/Transaction/ShowController.php

@@ -30,6 +30,7 @@ use FireflyIII\Models\TransactionJournal;
 use FireflyIII\Repositories\TransactionGroup\TransactionGroupRepositoryInterface;
 use FireflyIII\Transformers\TransactionGroupTransformer;
 use Illuminate\Http\Request;
+use Illuminate\Support\Str;
 use Symfony\Component\HttpFoundation\ParameterBag;
 
 /**
@@ -82,6 +83,13 @@ class ShowController extends Controller
         // do some amount calculations:
         $amounts = $this->getAmounts($groupArray);
 
+        // make sure notes are escaped but not double escaped.
+        foreach ($groupArray['transactions'] as $index => $transaction) {
+            $search = ['&', '>', '<'];
+            if (!Str::contains($transaction['notes'], $search)) {
+                $groupArray['transactions'][$index]['notes'] = e($transaction['notes']);
+            }
+        }
 
         $events      = $this->repository->getPiggyEvents($transactionGroup);
         $attachments = $this->repository->getAttachments($transactionGroup);

app/Models/Note.php

@@ -86,10 +86,21 @@ class Note extends Model
 
     /**
      * @param $value
+     *
      * @codeCoverageIgnore
      */
-    public function setTextAttribute($value): void
+    public function setTextAttribute(string $value): void
     {
         $this->attributes['text'] = e($value);
     }
+
+    /**
+     * @param string $value
+     *
+     * @return string
+     */
+    public function getTextAttribute(string $value): string
+    {
+        return htmlspecialchars_decode($value, ENT_QUOTES);
+    }
 }