Fix name field in custom reports (#15007)

pimcore · Apr 25, 2023 · c36ef54 · c36ef54
1 parent b159e54
commit c36ef54
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/bundles/AdminBundle/Controller/Reports/CustomReportController.php b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
@@ -76,6 +76,8 @@ public function addAction(Request $request)
 
         $success = false;
 
+        $this->isValidConfigName($request->get('name'));
+
         $report = CustomReport\Config::getByName($request->get('name'));
 
         if (!$report) {
@@ -129,6 +131,7 @@ public function cloneAction(Request $request)
         $this->checkPermission('reports_config');
 
         $newName = $request->get('newName');
+        $this->isValidConfigName($newName);
         $report = CustomReport\Config::getByName($newName);
         if ($report) {
             throw new \Exception('report already exists');
@@ -187,7 +190,7 @@ public function getAction(Request $request)
     public function updateAction(Request $request)
     {
         $this->checkPermission('reports_config');
-
+        $this->isValidConfigName($request->get('name'));
         $report = CustomReport\Config::getByName($request->get('name'));
         if (!$report) {
             throw $this->createNotFoundException();
@@ -519,4 +522,13 @@ public function downloadCsvAction(Request $request)
 
         throw new FileNotFoundException("File \"$exportFile\" not found!");
     }
+
+    /**
+     * @throws \Exception
+     */
+    public function isValidConfigName(string $configName) {
+        if(!preg_match('/^[a-zA-Z0-9_\-]+$/', $configName)) {
+            throw new \Exception('The customer report name is invalid');
+        }
+    }
 }
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js
@@ -206,7 +206,8 @@ pimcore.report.custom.panel = Class.create({
     },
 
     deleteField: function (tree, record) {
-        Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('portlet_customreport'), record.data.text), function (btn) {
+        const decodedName = Ext.util.Format.htmlDecode(record.data.text);
+        Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('portlet_customreport'), Ext.util.Format.htmlEncode(decodedName)), function (btn) {
             if (btn == 'yes') {
                 Ext.Ajax.request({
                     url: Routing.generate('pimcore_admin_reports_customreport_delete'),