diff --git a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
index 6a3ba048b1f..7089b28d532 100644
--- a/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
+++ b/bundles/AdminBundle/Controller/Admin/DataObject/DataObjectHelperController.php
@@ -346,14 +346,14 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
$gridConfigId = $savedGridConfig->getId();
$gridConfig = $savedGridConfig->getConfig();
$gridConfig = json_decode($gridConfig, true);
- $gridConfigName = $savedGridConfig->getName();
+ $gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getName());
$owner = $savedGridConfig->getOwnerId();
$ownerObject = User::getById($owner);
if ($ownerObject instanceof User) {
$owner = $ownerObject->getName();
}
$modificationDate = $savedGridConfig->getModificationDate();
- $gridConfigDescription = $savedGridConfig->getDescription();
+ $gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getDescription());
$sharedGlobally = $savedGridConfig->isShareGlobally();
$setAsFavourite = $savedGridConfig->isSetAsFavourite();
@@ -951,8 +951,8 @@ public function gridSaveColumnConfigAction(Request $request)
}
if ($metadata) {
- $gridConfig->setName($metadata['gridConfigName']);
- $gridConfig->setDescription($metadata['gridConfigDescription']);
+ $gridConfig->setName(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigName']));
+ $gridConfig->setDescription(SecurityHelper::convertHtmlSpecialChars($metadata['gridConfigDescription']));
$gridConfig->setShareGlobally($metadata['shareGlobally'] && $this->getAdminUser()->isAdmin());
$gridConfig->setSetAsFavourite($metadata['setAsFavourite'] && $this->getAdminUser()->isAdmin());
}
@@ -968,8 +968,8 @@ public function gridSaveColumnConfigAction(Request $request)
$settings = $this->getShareSettings($gridConfig->getId());
$settings['gridConfigId'] = (int)$gridConfig->getId();
- $settings['gridConfigName'] = $gridConfig->getName();
- $settings['gridConfigDescription'] = $gridConfig->getDescription();
+ $settings['gridConfigName'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getName());
+ $settings['gridConfigDescription'] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getDescription());
$settings['shareGlobally'] = $gridConfig->isShareGlobally();
$settings['setAsFavourite'] = $gridConfig->isSetAsFavourite();
$settings['isShared'] = $gridConfig->getOwnerId() != $this->getAdminUser()->getId() && !$this->getAdminUser()->isAdmin();
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js b/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
index 86a8603a0ec..d2ca9d2f56a 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/element/helpers/gridColumnConfig.js
@@ -24,7 +24,10 @@ pimcore.element.helpers.gridColumnConfig = {
fieldLabel: t('name'),
length: 50,
allowBlank: false,
- value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName
+ value: this.settings.gridConfigName ? this.settings.gridConfigName : defaultName,
+ listeners: {
+ change: pimcore.helpers.htmlEncodeTextField
+ }
});
var descriptionField = new Ext.form.TextArea({
@@ -126,9 +129,9 @@ pimcore.element.helpers.gridColumnConfig = {
for (var i = 0; i < list.length; i++) {
var disabled = false;
var config = list[i];
- var text = config["name"];
+ let text = `${Ext.util.Format.htmlEncode(config["name"])}`;
if (config.id == this.settings.gridConfigId) {
- text = this.settings.gridConfigName;
+ text = Ext.util.Format.htmlEncode(this.settings.gridConfigName);
if (!onlyConfigs) {
text = "" + text + "";
disabled = true;
diff --git a/lib/Security/SecurityHelper.php b/lib/Security/SecurityHelper.php
index 4ba989380af..bc1f9f537c4 100644
--- a/lib/Security/SecurityHelper.php
+++ b/lib/Security/SecurityHelper.php
@@ -15,6 +15,9 @@
namespace Pimcore\Security;
+/**
+ * @internal
+ */
class SecurityHelper
{
public static function convertHtmlSpecialChars(?string $text): ?string