[Security] Fix xss in predefined properties panel (#14943)

* fixed xss in predefined properties panel * used global helper function for htmlEncode `pimcore.helpers.htmlEncodeTextField` * added `SecurityHelper::convertHtmlSpecialChars` * Update predefined.js prevented xss
pimcore · Apr 19, 2023 · 7a79939 · 7a79939
1 parent 553c9a4
commit 7a79939
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 16 deletions.
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/properties/predefined.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/properties/predefined.js
@@ -57,8 +57,8 @@ pimcore.settings.properties.predefined = Class.create({
 
         this.store = pimcore.helpers.grid.buildDefaultStore(
             url,
-            ['id',
-
+            [
+                'id',
                 {name: 'name', allowBlank: false},'description',
                 {name: 'key', allowBlank: false},
                 {name: 'type', allowBlank: false}, 'data', 'config',
@@ -108,25 +108,25 @@ pimcore.settings.properties.predefined = Class.create({
 
 
         var propertiesColumns = [
-            {text: t("name"), flex: 100, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({})},
-            {text: t("description"), sortable: true, dataIndex: 'description', editor: new Ext.form.TextArea({}),
+            {text: t("name"), flex: 100, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({listeners: {'change': pimcore.helpers.htmlEncodeTextField}})},
+            {text: t("description"), sortable: true, dataIndex: 'description', editor: new Ext.form.TextArea({listeners: {'change': pimcore.helpers.htmlEncodeTextField}}),
                 renderer: function (value, metaData, record, rowIndex, colIndex, store) {
                     if(empty(value)) {
                         return "";
                     }
                     return nl2br(Ext.util.Format.htmlEncode(value));
                }
             },
-            {text: t("key"), flex: 50, sortable: true, dataIndex: 'key', editor: new Ext.form.TextField({})},
+            {text: t("key"), flex: 50, sortable: true, dataIndex: 'key', editor: new Ext.form.TextField({listeners: {'change': pimcore.helpers.htmlEncodeTextField}})},
             {text: t("type"), flex: 50, sortable: true, dataIndex: 'type',
                 editor: new Ext.form.ComboBox({
                     triggerAction: 'all',
                     editable: false,
                     store: ["text","document","asset","object","bool","select"]
 
             })},
-            {text: t("value"), flex: 50, sortable: true, dataIndex: 'data', editor: new Ext.form.TextField({})},
-            {text: t("configuration"), flex: 50, sortable: false, dataIndex: 'config', editor: new Ext.form.TextField({})},
+            {text: t("value"), flex: 50, sortable: true, dataIndex: 'data', editor: new Ext.form.TextField({listeners: {'change': pimcore.helpers.htmlEncodeTextField}})},
+            {text: t("configuration"), flex: 50, sortable: false, dataIndex: 'config', editor: new Ext.form.TextField({listeners: {'change': pimcore.helpers.htmlEncodeTextField}})},
             {text: t("content_type"), flex: 50, sortable: true, dataIndex: 'ctype',
                 editor: new Ext.ux.form.MultiSelect({
                     store: new Ext.data.ArrayStore({
@@ -165,11 +165,15 @@ pimcore.settings.properties.predefined = Class.create({
                     tooltip: t('delete'),
                     handler: function (grid, rowIndex) {
                         let data = grid.getStore().getAt(rowIndex);
-                        pimcore.helpers.deleteConfirm(t('predefined_properties'),
-                            Ext.util.Format.htmlEncode(data.data.name),
+                        const decodedName = Ext.util.Format.htmlDecode(data.data.name);
+
+                        pimcore.helpers.deleteConfirm(
+                            t('predefined_properties'),
+                            Ext.util.Format.htmlEncode(decodedName),
                             function () {
-                            grid.getStore().removeAt(rowIndex);
-                        }.bind(this));
+                                grid.getStore().removeAt(rowIndex);
+                            }.bind(this)
+                        );
                     }.bind(this)
                 }]
             },{

diff --git a/models/Property/Predefined.php b/models/Property/Predefined.php
@@ -16,6 +16,7 @@
 namespace Pimcore\Model\Property;
 
 use Pimcore\Model;
+use Pimcore\Security\SecurityHelper;
 
 /**
  * @internal
@@ -177,7 +178,7 @@ public function getData()
      */
     public function setKey($key)
     {
-        $this->key = $key;
+        $this->key = SecurityHelper::convertHtmlSpecialChars($key);
 
         return $this;
     }
@@ -189,7 +190,7 @@ public function setKey($key)
      */
     public function setName($name)
     {
-        $this->name = $name;
+        $this->name = SecurityHelper::convertHtmlSpecialChars($name);
 
         return $this;
     }
@@ -213,7 +214,7 @@ public function setType($type)
      */
     public function setData($data)
     {
-        $this->data = $data;
+        $this->data = SecurityHelper::convertHtmlSpecialChars($data);
 
         return $this;
     }
@@ -253,7 +254,7 @@ public function getConfig()
      */
     public function setConfig($config)
     {
-        $this->config = $config;
+        $this->config = SecurityHelper::convertHtmlSpecialChars($config);
 
         return $this;
     }
@@ -305,7 +306,7 @@ public function setInheritable($inheritable)
      */
     public function setDescription($description)
     {
-        $this->description = $description;
+        $this->description = SecurityHelper::convertHtmlSpecialChars($description);
 
         return $this;
     }