Fix XSS

Author: nfourtythree

src/controllers/InventoryController.php

@@ -281,14 +281,17 @@ public function actionInventoryLevelsTableData(): Response
             $purchasable = \Craft::$app->getElements()->getElementById($inventoryLevel['purchasableId'], siteId: Cp::requestedSite()->id);
             $inventoryItemDomId = sprintf("edit-$id-link-%s", mt_rand());
             if ($purchasable) {
-                $inventoryLevel['purchasable'] = Cp::chipHtml($purchasable, ['labelHtml' => $purchasable->getDescription(), 'showActionMenu' => !$purchasable->getIsDraft() && $purchasable->canSave($currentUser)]);
+                // When providing the `labelHtml` option we need to encode it ourselves
+                $inventoryLevel['purchasable'] = Cp::chipHtml($purchasable, ['labelHtml' => Html::encode($purchasable->getDescription()), 'showActionMenu' => !$purchasable->getIsDraft() && $purchasable->canSave($currentUser)]);
             } else {
-                $inventoryLevel['purchasable'] = $inventoryLevel['description'];
+                $inventoryLevel['purchasable'] = Html::encode($inventoryLevel['description']);
             }
             if (PurchasableHelper::isTempSku($inventoryLevel['sku'])) {
                 $inventoryLevel['sku'] = '';
             }
-            $inventoryLevel['sku'] = Html::tag('span', Html::a($inventoryLevel['sku'], "#", ['id' => "$inventoryItemDomId", 'class' => 'code']));
+
+            // Ensure encoded SKU
+            $inventoryLevel['sku'] = Html::tag('span', Html::a(Html::encode($inventoryLevel['sku']), "#", ['id' => "$inventoryItemDomId", 'class' => 'code']));
             $inventoryLevel['id'] = $id;
 
             $view->registerJsWithVars(fn($id, $params, $inventoryLevelsManagerContainerId) => <<<JS