From 42a5bbe5f16b97371fdbfdcf2bb3ee759dea8564 Mon Sep 17 00:00:00 2001
From: Christian F <christian.feldkirchner@pimcore.com>
Date: Thu, 20 Apr 2023 15:23:18 +0200
Subject: [PATCH] [Security] Fixed xss in website settings panel (#14957)

* fixed xss in website settings panel

* added `htmlspecialchars` to model

* added `SecurityHelper::convertHtmlSpecialChars`
---
 .../public/js/pimcore/settings/website.js         | 15 ++++++++++-----
 models/WebsiteSetting.php                         |  5 +++--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js
index 7f66651e70b..1607daee09b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/settings/website.js
@@ -19,13 +19,11 @@ pimcore.settings.website = Class.create({
         this.getTabPanel();
     },
 
-
     activate:function () {
         var tabPanel = Ext.getCmp("pimcore_panel_tabs");
         tabPanel.setActiveItem("pimcore_website_settings");
     },
 
-
     getTabPanel:function () {
 
         if (!this.panel) {
@@ -114,7 +112,11 @@ pimcore.settings.website = Class.create({
                 flex: 100,
                 editable: true,
                 sortable: true,
-                editor: new Ext.form.TextField({})
+                editor: new Ext.form.TextField({
+                    listeners: {
+                        'change': pimcore.helpers.htmlEncodeTextField
+                    }
+                })
             },
             {
                 text: t('language'),
@@ -133,7 +135,11 @@ pimcore.settings.website = Class.create({
                 dataIndex: 'data',
                 flex: 300,
                 editable: true,
-                editor: new Ext.form.TextField({}),
+                editor: new Ext.form.TextField({
+                    listeners: {
+                        'change': pimcore.helpers.htmlEncodeTextField
+                    }
+                }),
                 renderer: this.getCellRenderer.bind(this),
             },
             {text: t("site"), flex: 100, sortable:true, dataIndex: "siteId",
@@ -504,7 +510,6 @@ pimcore.settings.website = Class.create({
         this.customKeyField.setValue(null);
     },
 
-
     add: function (key, type, value, config, inherited, inheritable) {
 
         var store = this.grid.getStore();
diff --git a/models/WebsiteSetting.php b/models/WebsiteSetting.php
index bae728b45f9..a7bace70059 100644
--- a/models/WebsiteSetting.php
+++ b/models/WebsiteSetting.php
@@ -18,6 +18,7 @@
 use Pimcore\Model\Element\ElementInterface;
 use Pimcore\Model\Element\Service;
 use Pimcore\Model\Exception\NotFoundException;
+use Pimcore\Security\SecurityHelper;
 
 /**
  * @method \Pimcore\Model\WebsiteSetting\Dao getDao()
@@ -183,7 +184,7 @@ public function setId($id)
      */
     public function setName($name)
     {
-        $this->name = $name;
+        $this->name = SecurityHelper::convertHtmlSpecialChars($name);
 
         return $this;
     }
@@ -228,7 +229,7 @@ public function setData($data)
             $data = $data->getId();
         }
 
-        $this->data = $data;
+        $this->data = SecurityHelper::convertHtmlSpecialChars($data);
 
         return $this;
     }