disallow html entity names on import - follow up to #11217

pimcore · Jan 25, 2022 · 3ae96b9 · 3ae96b9
1 parent fbb2bad
commit 3ae96b9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/models/DataObject/ClassDefinition/Service.php b/models/DataObject/ClassDefinition/Service.php
@@ -315,11 +315,11 @@ public static function generateLayoutTreeFromArray($array, $throwException = fal
     {
         if (is_array($array) && count($array) > 0) {
             if ($name = $array['name'] ?? false) {
-                $sanitizedName = htmlentities($name);
-                if ($sanitizedName !== $name) {
+                if (preg_match('/<.+?>/', $name)) {
                     throw new \Exception('not a valid name:' . htmlentities($name));
                 }
             }
+
             /** @var LoaderInterface $loader */
             $loader = \Pimcore::getContainer()->get('pimcore.implementation_loader.object.' . $array['datatype']);