diff --git a/bundles/AdminBundle/Controller/Admin/Asset/AssetHelperController.php b/bundles/AdminBundle/Controller/Admin/Asset/AssetHelperController.php
index e7849dc20d0..8701ac111e5 100644
--- a/bundles/AdminBundle/Controller/Admin/Asset/AssetHelperController.php
+++ b/bundles/AdminBundle/Controller/Admin/Asset/AssetHelperController.php
@@ -33,6 +33,7 @@
use Pimcore\Model\GridConfigShare;
use Pimcore\Model\Metadata;
use Pimcore\Model\User;
+use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;
use Pimcore\Tool\Storage;
use Pimcore\Version;
@@ -963,9 +964,10 @@ public function getMetadataForColumnConfigAction(Request $request)
if (!in_array($uniqueKey, $tmp) && !in_array($item->getName(), $defaultMetadataNames)) {
$tmp[] = $uniqueKey;
$item->expand();
+ $name = SecurityHelper::convertHtmlSpecialChars($item->getName());
$metadataItems[] = [
- 'title' => $item->getName(),
- 'name' => $item->getName(),
+ 'title' => $name,
+ 'name' => $name,
'subtype' => $item->getTargetSubtype(),
'datatype' => 'data',
'fieldtype' => $item->getType(),
diff --git a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
index db28959f4d5..6a3ba048b1f 100644
--- a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
+++ b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
@@ -32,6 +32,7 @@
use Pimcore\Model\GridConfigFavourite;
use Pimcore\Model\GridConfigShare;
use Pimcore\Model\User;
+use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;
use Pimcore\Tool\Storage;
use Pimcore\Version;
@@ -355,6 +356,13 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
$gridConfigDescription = $savedGridConfig->getDescription();
$sharedGlobally = $savedGridConfig->isShareGlobally();
$setAsFavourite = $savedGridConfig->isSetAsFavourite();
+
+ foreach($gridConfig['columns'] as &$column) {
+ if (array_key_exists('isOperator', $column) && $column['isOperator']) {
+ $colAttributes = &$column['fieldConfig']['attributes'];
+ SecurityHelper::convertHtmlSpecialCharsArrayKeys($colAttributes, ['label', 'attribute', 'param1']);
+ }
+ }
}
}
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/gridcolumn/operator/AnyGetter.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/gridcolumn/operator/AnyGetter.js
index 3ee3c4bff73..274279575d9 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/gridcolumn/operator/AnyGetter.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/gridcolumn/operator/AnyGetter.js
@@ -83,22 +83,25 @@ pimcore.object.gridcolumn.operator.anygetter = Class.create(pimcore.object.gridc
fieldLabel: t('label'),
length: 255,
width: 200,
- value: this.node.data.configAttributes.label
+ value: this.node.data.configAttributes.label,
+ listeners: {'change': pimcore.helpers.htmlEncodeTextField }
});
this.attributeField = new Ext.form.TextField({
fieldLabel: t('attribute'),
length: 255,
width: 200,
- value: this.node.data.configAttributes.attribute
+ value: this.node.data.configAttributes.attribute,
+ listeners: {'change': pimcore.helpers.htmlEncodeTextField }
});
this.param1Field = new Ext.form.TextField({
fieldLabel: t('parameter'),
length: 255,
width: 200,
- value: this.node.data.configAttributes.param1
- });
+ value: this.node.data.configAttributes.param1,
+ listeners: {'change': pimcore.helpers.htmlEncodeTextField }
+ });
this.returnLastResultField = new Ext.form.Checkbox({
fieldLabel: t('return_last_result'),
@@ -183,7 +186,7 @@ pimcore.object.gridcolumn.operator.anygetter = Class.create(pimcore.object.gridc
if (configAttributes.param1) {
attr += " " + configAttributes.param1;
}
- nodeLabel += ' (' + attr + ')';
+ nodeLabel += ' (' + Ext.util.Format.htmlEncode(attr) + ')';
}
return nodeLabel;
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js
index a7e644ae987..d9f2fa9d8fd 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js
@@ -138,7 +138,7 @@ pimcore.settings.metadata.predefined = Class.create({
sortable: true
},
{text: t("name"), width: 200, sortable: true, dataIndex: 'name',
- getEditor: function() { return new Ext.form.TextField({}); }
+ getEditor: function() { return new Ext.form.TextField({ listeners: {'change': pimcore.helpers.htmlEncodeTextField } }); }
},
{text: t("group"), width: 200, sortable: true, dataIndex: 'group',
getEditor: function() { return new Ext.form.TextField({}); }
diff --git a/lib/DataObject/GridColumnConfig/Operator/AbstractOperator.php b/lib/DataObject/GridColumnConfig/Operator/AbstractOperator.php
index 47e5545d27a..783170c7c4c 100644
--- a/lib/DataObject/GridColumnConfig/Operator/AbstractOperator.php
+++ b/lib/DataObject/GridColumnConfig/Operator/AbstractOperator.php
@@ -16,6 +16,7 @@
namespace Pimcore\DataObject\GridColumnConfig\Operator;
use Pimcore\DataObject\GridColumnConfig\ConfigElementInterface;
+use Pimcore\Security\SecurityHelper;
use Pimcore\Tool;
abstract class AbstractOperator implements OperatorInterface
@@ -41,7 +42,7 @@ abstract class AbstractOperator implements OperatorInterface
*/
public function __construct(\stdClass $config, array $context = [])
{
- $this->label = $config->label;
+ $this->label = SecurityHelper::convertHtmlSpecialChars($config->label);
$this->childs = $config->childs;
$this->context = $context;
}
@@ -91,7 +92,7 @@ public function getLabel()
*/
public function setLabel($label)
{
- $this->label = $label;
+ $this->label = SecurityHelper::convertHtmlSpecialChars($label);
}
/**
diff --git a/lib/DataObject/GridColumnConfig/Operator/AnyGetter.php b/lib/DataObject/GridColumnConfig/Operator/AnyGetter.php
index ccf970ce46c..6bd0e9ef663 100644
--- a/lib/DataObject/GridColumnConfig/Operator/AnyGetter.php
+++ b/lib/DataObject/GridColumnConfig/Operator/AnyGetter.php
@@ -16,6 +16,7 @@
namespace Pimcore\DataObject\GridColumnConfig\Operator;
use Pimcore\Model\AbstractModel;
+use Pimcore\Security\SecurityHelper;
use Pimcore\Tool\Admin;
/**
@@ -64,8 +65,8 @@ public function __construct(\stdClass $config, $context = null)
parent::__construct($config, $context);
- $this->attribute = $config->attribute ?? '';
- $this->param1 = $config->param1 ?? '';
+ $this->attribute = SecurityHelper::convertHtmlSpecialChars($config->attribute ?? '');
+ $this->param1 = SecurityHelper::convertHtmlSpecialChars($config->param1 ?? '');
$this->isArrayType = $config->isArrayType ?? false;
$this->forwardAttribute = $config->forwardAttribute ?? '';
@@ -182,7 +183,7 @@ public function getAttribute()
*/
public function setAttribute($attribute)
{
- $this->attribute = $attribute;
+ $this->attribute = SecurityHelper::convertHtmlSpecialChars($attribute);
}
/**
@@ -198,7 +199,7 @@ public function getParam1()
*/
public function setParam1($param1)
{
- $this->param1 = $param1;
+ $this->param1 = SecurityHelper::convertHtmlSpecialChars($param1);
}
/**
diff --git a/lib/Security/SecurityHelper.php b/lib/Security/SecurityHelper.php
index 541238e2bba..4ba989380af 100644
--- a/lib/Security/SecurityHelper.php
+++ b/lib/Security/SecurityHelper.php
@@ -25,4 +25,13 @@ public static function convertHtmlSpecialChars(?string $text): ?string
return null;
}
+
+ public static function convertHtmlSpecialCharsArrayKeys(array &$array, array $keys): void
+ {
+ foreach ($keys as $key) {
+ if (array_key_exists($key, $array)) {
+ $array[$key] = self::convertHtmlSpecialChars($array[$key]);
+ }
+ }
+ }
}