[Data Object] Properly escape layout and field names in tree

pimcore · Oct 29, 2021 · 542d0cb · 542d0cb
1 parent ee761f0
commit 542d0cb
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 7 deletions.
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js
@@ -1167,7 +1167,7 @@ pimcore.object.classes.klass = Class.create({
         }
 
         var newNode = {
-            text: nodeLabel,
+            text: htmlspecialchars(nodeLabel),
             type: "layout",
             iconCls: pimcore.object.classes.layout[type].prototype.getIconClass(),
             leaf: false,
@@ -1217,7 +1217,7 @@ pimcore.object.classes.klass = Class.create({
         }
 
         var newNode = {
-            text: nodeLabel,
+            text: htmlspecialchars(nodeLabel),
             type: "data",
             leaf: true,
             iconCls: pimcore.object.classes.data[type].prototype.getIconClass()

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js
@@ -286,8 +286,10 @@ pimcore.object.classes.data.data = Class.create({
         if (this.treeNode) {
             for (var i = 0; i < items.length; i++) {
                 if (items[i].name == "name") {
-                    this.treeNode.set("text", items[i].getValue());
-                    break;
+                    if(this.isValidName(items[i].getValue())) {
+                        this.treeNode.set("text", htmlspecialchars(items[i].getValue()));
+                        break;
+                    }
                 }
             }
         }
@@ -302,10 +304,9 @@ pimcore.object.classes.data.data = Class.create({
         var data = this.getData();
         data.name = trim(data.name);
 
-        var isValidName = /^[a-zA-Z][a-zA-Z0-9_]*$/;
         var isForbiddenName = in_arrayi(data.name, this.forbiddenNames);
 
-        if (data.name.length > 1 && isValidName.test(data.name) && !isForbiddenName) {
+        if (data.name.length > 1 && this.isValidName(data.name) && !isForbiddenName) {
             return true;
         }
 
@@ -316,6 +317,11 @@ pimcore.object.classes.data.data = Class.create({
         return false;
     },
 
+    isValidName: function (name) {
+        let isValidName = /^[a-zA-Z][a-zA-Z0-9_]*$/;
+        return isValidName.test(name);
+    },
+
     applyData: function () {
 
         if (!this.layout) {

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js
@@ -192,7 +192,7 @@ pimcore.object.classes.layout.layout = Class.create({
 
         for (var i = 0; i < items.length; i++) {
             if (items[i].name == "name") {
-                this.treeNode.set('text', items[i].getValue());
+                this.treeNode.set('text', htmlspecialchars(items[i].getValue()));
                 break;
             }
         }