Skip to content

Commit

Permalink
[Data Object] Properly escape version preview values
Browse files Browse the repository at this point in the history
  • Loading branch information
@brusch
brusch committed Aug 25, 2021
1 parent af229c0 commit 9fd55a9
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 8 deletions.
6 changes: 1 addition & 5 deletions models/DataObject/ClassDefinition/Data/Extension/Text.php
View file
Expand Up @@ -58,10 +58,6 @@ public function isDiffChangeAllowed($object, $params = [])
*/
public function getVersionPreview($data, $object = null, $params = [])
{
// remove all <script> tags, to prevent XSS in the version preview
// this should normally be filtered in the project specific controllers/action (/website folder) but just to be sure
$data = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $data);

return $data;
return htmlspecialchars($data);
}
}
2 changes: 1 addition & 1 deletion models/DataObject/ClassDefinition/Data/Multiselect.php
View file
Expand Up @@ -345,7 +345,7 @@ public function getDataFromEditmode($data, $object = null, $params = [])
public function getVersionPreview($data, $object = null, $params = [])
{
if (is_array($data)) {
return implode(',', $data);
return implode(',', array_map($data, 'htmlspecialchars'));
}

return null;
Expand Down
2 changes: 1 addition & 1 deletion models/DataObject/ClassDefinition/Data/QuantityValue.php
View file
Expand Up @@ -383,7 +383,7 @@ public function getVersionPreview($data, $object = null, $params = [])
}
}

return $data->getValue() . $unit;
return htmlspecialchars($data->getValue() . $unit);
}

return '';
Expand Down
2 changes: 1 addition & 1 deletion models/DataObject/ClassDefinition/Data/Select.php
View file
Expand Up @@ -308,7 +308,7 @@ public function getDataFromEditmode($data, $object = null, $params = [])
*/
public function getVersionPreview($data, $object = null, $params = [])
{
return $data;
return htmlspecialchars($data);
}

/**
Expand Down

0 comments on commit 9fd55a9

Please sign in to comment.