Fix XSS in Conditions tab of Pricing Rules (#14963)

* Fix error when the date field is null * Fix xss in date field in pricing-ecommerce * Fix date input
pimcore · Apr 19, 2023 · a449155 · a449155
1 parent 7a79939
commit a449155
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/bundles/EcommerceFrameworkBundle/PricingManager/Condition/DateRange.php b/bundles/EcommerceFrameworkBundle/PricingManager/Condition/DateRange.php
@@ -92,8 +92,8 @@ public function toJSON()
     {
         return json_encode([
             'type' => 'DateRange',
-            'starting' => $this->getStarting()->format('d.m.Y'),
-            'ending' => $this->getEnding()->format('d.m.Y'),
+            'starting' => $this->getStarting()?->format('d.m.Y'),
+            'ending' => $this->getEnding()?->format('d.m.Y'),
         ]);
     }
 
@@ -107,13 +107,17 @@ public function fromJSON($string)
         $json = json_decode($string);
 
         $starting = \DateTime::createFromFormat('d.m.Y', $json->starting, new DateTimeZone('UTC'));
-        $starting->setTime(0, 0, 0);
-
+        if($starting instanceof \DateTime) {
+            $starting->setTime(0, 0, 0);
+            $this->setStarting($starting);
+        }
         $ending = \DateTime::createFromFormat('d.m.Y', $json->ending, new DateTimeZone('UTC'));
-        $ending->setTime(23, 59, 59);
 
-        $this->setStarting($starting);
-        $this->setEnding($ending);
+        if($ending instanceof \DateTime) {
+            $ending->setTime(23, 59, 59);
+            $this->setEnding($ending);
+        }
+
 
         return $this;
     }

diff --git a/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/item.js b/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/item.js
@@ -706,15 +706,25 @@ pimcore.bundle.EcommerceFramework.pricing.conditions = {
                 format: 'd.m.Y',
                 altFormats: 'U',
                 value: data.starting,
-                width: 400
+                width: 400,
+                onChange: function (value) {
+                    if (Ext.String.hasHtmlCharacters(value)) {
+                        this.setValue(null);
+                    }
+                },
             },{
                 xtype:'datefield',
                 fieldLabel: t("to"),
                 name: "ending",
                 format: 'd.m.Y',
                 altFormats: 'U',
                 value: data.ending,
-                width: 400
+                width: 400,
+                onChange: function (value) {
+                    if (Ext.String.hasHtmlCharacters(value)) {
+                        this.setValue(null);
+                    }
+                },
             }],
             listeners: {