[Security] Fixed xss in website settings panel (#14957)

* fixed xss in website settings panel * added `htmlspecialchars` to model * added `SecurityHelper::convertHtmlSpecialChars`
pimcore · Apr 20, 2023 · 42a5bbe · 42a5bbe
1 parent 66f1089
commit 42a5bbe
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js
@@ -19,13 +19,11 @@ pimcore.settings.website = Class.create({
         this.getTabPanel();
     },
 
-
     activate:function () {
         var tabPanel = Ext.getCmp("pimcore_panel_tabs");
         tabPanel.setActiveItem("pimcore_website_settings");
     },
 
-
     getTabPanel:function () {
 
         if (!this.panel) {
@@ -114,7 +112,11 @@ pimcore.settings.website = Class.create({
                 flex: 100,
                 editable: true,
                 sortable: true,
-                editor: new Ext.form.TextField({})
+                editor: new Ext.form.TextField({
+                    listeners: {
+                        'change': pimcore.helpers.htmlEncodeTextField
+                    }
+                })
             },
             {
                 text: t('language'),
@@ -133,7 +135,11 @@ pimcore.settings.website = Class.create({
                 dataIndex: 'data',
                 flex: 300,
                 editable: true,
-                editor: new Ext.form.TextField({}),
+                editor: new Ext.form.TextField({
+                    listeners: {
+                        'change': pimcore.helpers.htmlEncodeTextField
+                    }
+                }),
                 renderer: this.getCellRenderer.bind(this),
             },
             {text: t("site"), flex: 100, sortable:true, dataIndex: "siteId",
@@ -504,7 +510,6 @@ pimcore.settings.website = Class.create({
         this.customKeyField.setValue(null);
     },
 
-
     add: function (key, type, value, config, inherited, inheritable) {
 
         var store = this.grid.getStore();

diff --git a/models/WebsiteSetting.php b/models/WebsiteSetting.php
@@ -18,6 +18,7 @@
 use Pimcore\Model\Element\ElementInterface;
 use Pimcore\Model\Element\Service;
 use Pimcore\Model\Exception\NotFoundException;
+use Pimcore\Security\SecurityHelper;
 
 /**
  * @method \Pimcore\Model\WebsiteSetting\Dao getDao()
@@ -183,7 +184,7 @@ public function setId($id)
      */
     public function setName($name)
     {
-        $this->name = $name;
+        $this->name = SecurityHelper::convertHtmlSpecialChars($name);
 
         return $this;
     }
@@ -228,7 +229,7 @@ public function setData($data)
             $data = $data->getId();
         }
 
-        $this->data = $data;
+        $this->data = SecurityHelper::convertHtmlSpecialChars($data);
 
         return $this;
     }