From 542d0cb754ca1be3b9316e02ac7124ff6ec62263 Mon Sep 17 00:00:00 2001 From: Bernhard Rusch Date: Fri, 29 Oct 2021 06:05:09 +0200 Subject: [PATCH] [Data Object] Properly escape layout and field names in tree --- .../public/js/pimcore/object/classes/class.js | 4 ++-- .../public/js/pimcore/object/classes/data/data.js | 14 ++++++++++---- .../js/pimcore/object/classes/layout/layout.js | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js index 670754a8aa8..a712aa67ce3 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/class.js @@ -1167,7 +1167,7 @@ pimcore.object.classes.klass = Class.create({ } var newNode = { - text: nodeLabel, + text: htmlspecialchars(nodeLabel), type: "layout", iconCls: pimcore.object.classes.layout[type].prototype.getIconClass(), leaf: false, @@ -1217,7 +1217,7 @@ pimcore.object.classes.klass = Class.create({ } var newNode = { - text: nodeLabel, + text: htmlspecialchars(nodeLabel), type: "data", leaf: true, iconCls: pimcore.object.classes.data[type].prototype.getIconClass() diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js index bb94070d708..99a236e7359 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/data/data.js @@ -286,8 +286,10 @@ pimcore.object.classes.data.data = Class.create({ if (this.treeNode) { for (var i = 0; i < items.length; i++) { if (items[i].name == "name") { - this.treeNode.set("text", items[i].getValue()); - break; + if(this.isValidName(items[i].getValue())) { + this.treeNode.set("text", htmlspecialchars(items[i].getValue())); + break; + } } } } @@ -302,10 +304,9 @@ pimcore.object.classes.data.data = Class.create({ var data = this.getData(); data.name = trim(data.name); - var isValidName = /^[a-zA-Z][a-zA-Z0-9_]*$/; var isForbiddenName = in_arrayi(data.name, this.forbiddenNames); - if (data.name.length > 1 && isValidName.test(data.name) && !isForbiddenName) { + if (data.name.length > 1 && this.isValidName(data.name) && !isForbiddenName) { return true; } @@ -316,6 +317,11 @@ pimcore.object.classes.data.data = Class.create({ return false; }, + isValidName: function (name) { + let isValidName = /^[a-zA-Z][a-zA-Z0-9_]*$/; + return isValidName.test(name); + }, + applyData: function () { if (!this.layout) { diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js index 9acb7cf9ed1..bb79454a57b 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classes/layout/layout.js @@ -192,7 +192,7 @@ pimcore.object.classes.layout.layout = Class.create({ for (var i = 0; i < items.length; i++) { if (items[i].name == "name") { - this.treeNode.set('text', items[i].getValue()); + this.treeNode.set('text', htmlspecialchars(items[i].getValue())); break; } }