From c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7 Mon Sep 17 00:00:00 2001
From: aryaantony92 <97134765+aryaantony92@users.noreply.github.com>
Date: Tue, 25 Apr 2023 11:11:18 +0200
Subject: [PATCH] Fix name field in custom reports (#15007)

---
 .../Controller/Reports/CustomReportController.php  | 14 +++++++++++++-
 .../public/js/pimcore/report/custom/panel.js       |  3 ++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/bundles/AdminBundle/Controller/Reports/CustomReportController.php b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
index eed9c33340a..da2e4d16084 100644
--- a/bundles/AdminBundle/Controller/Reports/CustomReportController.php
+++ b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
@@ -76,6 +76,8 @@ public function addAction(Request $request)
 
         $success = false;
 
+        $this->isValidConfigName($request->get('name'));
+
         $report = CustomReport\Config::getByName($request->get('name'));
 
         if (!$report) {
@@ -129,6 +131,7 @@ public function cloneAction(Request $request)
         $this->checkPermission('reports_config');
 
         $newName = $request->get('newName');
+        $this->isValidConfigName($newName);
         $report = CustomReport\Config::getByName($newName);
         if ($report) {
             throw new \Exception('report already exists');
@@ -187,7 +190,7 @@ public function getAction(Request $request)
     public function updateAction(Request $request)
     {
         $this->checkPermission('reports_config');
-
+        $this->isValidConfigName($request->get('name'));
         $report = CustomReport\Config::getByName($request->get('name'));
         if (!$report) {
             throw $this->createNotFoundException();
@@ -519,4 +522,13 @@ public function downloadCsvAction(Request $request)
 
         throw new FileNotFoundException("File \"$exportFile\" not found!");
     }
+
+    /**
+     * @throws \Exception
+     */
+    public function isValidConfigName(string $configName) {
+        if(!preg_match('/^[a-zA-Z0-9_\-]+$/', $configName)) {
+            throw new \Exception('The customer report name is invalid');
+        }
+    }
 }
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js
index e765fb63209..351ede59c9d 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/panel.js
@@ -206,7 +206,8 @@ pimcore.report.custom.panel = Class.create({
     },
 
     deleteField: function (tree, record) {
-        Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('portlet_customreport'), record.data.text), function (btn) {
+        const decodedName = Ext.util.Format.htmlDecode(record.data.text);
+        Ext.Msg.confirm(t('delete'), sprintf(t('delete_message_advanced'), t('portlet_customreport'), Ext.util.Format.htmlEncode(decodedName)), function (btn) {
             if (btn == 'yes') {
                 Ext.Ajax.request({
                     url: Routing.generate('pimcore_admin_reports_customreport_delete'),