Fix: X-site-scripting (#13916)

pimcore · Jan 2, 2023 · 746fac1 · 746fac1
1 parent 179a556
commit 746fac1
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/models/DataObject/ClassDefinition/Service.php b/models/DataObject/ClassDefinition/Service.php
@@ -341,6 +341,11 @@ public static function importObjectBrickFromJson($objectBrick, $json, $throwExce
     public static function generateLayoutTreeFromArray($array, $throwException = false, $insideLocalizedField = false)
     {
         if (is_array($array) && count($array) > 0) {
+            if ($title = $array['title'] ?? false) {
+                if (preg_match('/<.+?>/', $title)) {
+                    throw new \Exception('not a valid title:' . htmlentities($title));
+                }
+            }
             if ($name = $array['name'] ?? false) {
                 if (preg_match('/<.+?>/', $name)) {
                     throw new \Exception('not a valid name:' . htmlentities($name));