Merge remote-tracking branch 'origin/1.5' into 1.x

pimcore · Mar 29, 2023 · ee161be · ee161be
2 parents 16b2a02 + 1697905
commit ee161be
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/src/Resources/public/js/pimcore/perspective/perspective.js b/src/Resources/public/js/pimcore/perspective/perspective.js
@@ -104,6 +104,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class {
                                     disabled: !pimcore.settings['perspectives-writeable'],
                                     handler: function(){
                                         Ext.MessageBox.prompt(t('plugin_pimcore_perspectiveeditor_new_perspective'), t('plugin_pimcore_perspectiveeditor_new_perspective'), function (button, value) {
+                                            value = this.sanitizeName(value);
+
                                             if (button === 'ok' && value.length > 0) {
                                                 //check for configs with same name
                                                 let match = this.perspectiveTreeStore.findExact("name", value);
@@ -824,4 +826,8 @@ pimcore.bundle.perspectiveeditor.PerspectiveEditor = class {
             }
         }
     }
+
+    sanitizeName (name) {
+        return name.replace(/[^a-z0-9_\-.+]/gi,'');
+    }
 }
diff --git a/src/Resources/public/js/pimcore/perspective/view.js b/src/Resources/public/js/pimcore/perspective/view.js
@@ -86,6 +86,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class {
                     disabled: !pimcore.settings['custom-views-writeable'],
                     handler: function () {
                         Ext.MessageBox.prompt(t('plugin_pimcore_perspectiveeditor_new_view'), t('plugin_pimcore_perspectiveeditor_new_view'), function (button, value) {
+                            value = this.sanitizeName(value);
+
                             if (button === 'ok' && value.length > 0) {
                                 const record = this.viewTreeStore.getRoot().appendChild({
                                     id: pimcore.bundle.perspectiveeditor.PerspectiveViewHelper.generateUuid(),
@@ -567,4 +569,8 @@ pimcore.bundle.perspectiveeditor.ViewEditor = class {
             }
         }
     }
+
+    sanitizeName (name) {
+        return name.replace(/[^a-z0-9_\-.+]/gi,'');
+    }
 }
diff --git a/src/Services/PerspectiveAccessor.php b/src/Services/PerspectiveAccessor.php
@@ -29,7 +29,7 @@ protected function convertTreeStoreToConfiguration($treeStore)
         $configuration = [];
 
         foreach ($treeStore['children'] as $child) {
-            $name = $child['name'];
+            $name = htmlspecialchars($child['name']);
             $configuration[$name] = [];
             $configuration[$name]['elementTree'] = [];
             foreach ($child['children'] as $index => $element) {

diff --git a/src/Services/ViewAccessor.php b/src/Services/ViewAccessor.php
@@ -47,6 +47,10 @@ protected function convertTreeStoreToConfiguration($treeStore)
 
         if (isset($treeStore['children'])) {
             foreach ($treeStore['children'] as $child) {
+                if (array_key_exists('name', $child['config'])) {
+                    $child['config']['name'] = htmlspecialchars($child['config']['name']);
+                }
+
                 if (!empty($child['config']['treeContextMenu'])) {
                     foreach (array_keys($child['config']['treeContextMenu']) as $contextMenuEntry) {
                         if (substr($child['config']['treetype'], 0, strlen($contextMenuEntry)) != $contextMenuEntry) {