Skip to content

Commit

Permalink
[Security] Stored cross site scripting vulnerability in Save grid opt…
Browse files Browse the repository at this point in the history 
…ion in pimcore dashboard (#14955)

* Fix: XSS in grid

* Fix: use convertHtmlSpecialChars

* Fix: duplicate convert
  • Loading branch information
@robertSt7
robertSt7 committed Apr 24, 2023
1 parent 6946f8a commit aa38319
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 9 deletions.
12 changes: 6 additions & 6 deletions bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
View file
Expand Up @@ -346,14 +346,14 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
$gridConfigId = $savedGridConfig->getId();
$gridConfig = $savedGridConfig->getConfig();
$gridConfig = json_decode($gridConfig, true);
$gridConfigName = $savedGridConfig->getName();
$gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getName());
$owner = $savedGridConfig->getOwnerId();
$ownerObject = User::getById($owner);
if ($ownerObject instanceof User) {
$owner = $ownerObject->getName();
}
$modificationDate = $savedGridConfig->getModificationDate();
$gridConfigDescription = $savedGridConfig->getDescription();
$gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getDescription());
$sharedGlobally = $savedGridConfig->isShareGlobally();
$setAsFavourite = $savedGridConfig->isSetAsFavourite();

Expand Down Expand Up @@ -951,8 +951,8 @@ public function gridSaveColumnConfigAction(Request $request)
}

if ($metadata) {
$gridConfig->setName($metadata['gridConfigName']);
$gridConfig->setDescription($metadata['gridConfigDescription']);
$gridConfig->setName(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigName']));
$gridConfig->setDescription(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigDescription']));
$gridConfig->setShareGlobally($metadata['shareGlobally'] && $this->getAdminUser()->isAdmin());
$gridConfig->setSetAsFavourite($metadata['setAsFavourite'] && $this->getAdminUser()->isAdmin());
}
Expand All @@ -968,8 +968,8 @@ public function gridSaveColumnConfigAction(Request $request)

$settings = $this->getShareSettings($gridConfig->getId());
$settings['gridConfigId'] = (int)$gridConfig->getId();
$settings['gridConfigName'] = $gridConfig->getName();
$settings['gridConfigDescription'] = $gridConfig->getDescription();
$settings['gridConfigName'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getName());
$settings['gridConfigDescription'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getDescription());
$settings['shareGlobally'] = $gridConfig->isShareGlobally();
$settings['setAsFavourite'] = $gridConfig->isSetAsFavourite();
$settings['isShared'] = $gridConfig->getOwnerId() != $this->getAdminUser()->getId() && !$this->getAdminUser()->isAdmin();
Expand Down
9 changes: 6 additions & 3 deletions bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
View file
Expand Up @@ -24,7 +24,10 @@ pimcore.element.helpers.gridColumnConfig = {
fieldLabel: t('name'),
length: 50,
allowBlank: false,
value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName
value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName,
listeners: {
change: pimcore.helpers.htmlEncodeTextField
}
});

var descriptionField = new Ext.form.TextArea({
Expand Down Expand Up @@ -126,9 +129,9 @@ pimcore.element.helpers.gridColumnConfig = {
for (var i = 0; i < list.length; i++) {
var disabled = false;
var config = list[i];
var text = config["name"];
let text = `<span>${Ext.util.Format.htmlEncode(config["name"])}</span>`;
if (config.id == this.settings.gridConfigId) {
text = this.settings.gridConfigName;
text = Ext.util.Format.htmlEncode(this.settings.gridConfigName);
if (!onlyConfigs) {
text = "<b>" + text + "</b>";
disabled = true;
Expand Down
3 changes: 3 additions & 0 deletions lib/Security/SecurityHelper.php
View file
Expand Up @@ -15,6 +15,9 @@

namespace Pimcore\Security;

/**
* @internal
*/
class SecurityHelper
{
public static function convertHtmlSpecialChars(?string $text): ?string
Expand Down

0 comments on commit aa38319

Please sign in to comment.