From d5c3e876d910784000335061c3bd24d301351245 Mon Sep 17 00:00:00 2001
From: dpahuja <divesh.pahuja@pimcore.com>
Date: Mon, 20 Dec 2021 13:50:00 +0100
Subject: [PATCH] [Classification Store] Properly escape values on grids &
 titles

---
 .../DataObject/ClassificationstoreController.php   |  6 +++---
 .../public/js/pimcore/helpers/generic-grid.js      |  2 +-
 .../object/classificationstore/collectionsPanel.js | 14 +++++++++-----
 .../object/classificationstore/groupsPanel.js      | 14 +++++++++-----
 .../object/classificationstore/propertiesPanel.js  | 11 +++++++----
 .../object/classificationstore/storeTree.js        |  4 ++--
 6 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php b/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php
index e14b9d72a58..1f536f3a9d7 100644
--- a/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php
+++ b/bundles/AdminBundle/Controller/Admin/DataObject/ClassificationstoreController.php
@@ -1476,11 +1476,11 @@ public function storetreeAction(Request $request)
         foreach ($list as $item) {
             $resultItem = [
                 'id' => $item->getId(),
-                'text' => $item->getName(),
+                'text' => htmlspecialchars($item->getName(), ENT_QUOTES),
                 'expandable' => false,
                 'leaf' => true,
                 'expanded' => true,
-                'description' => $item->getDescription(),
+                'description' => htmlspecialchars($item->getDescription(), ENT_QUOTES),
                 'iconCls' => 'pimcore_icon_classificationstore',
             ];
 
@@ -1488,7 +1488,7 @@ public function storetreeAction(Request $request)
 
             if ($item->getDescription()) {
             }
-            $resultItem['qtip'] = $item->getDescription() ? $item->getDescription() : ' ';
+            $resultItem['qtip'] = $item->getDescription() ? htmlspecialchars($item->getDescription(), ENT_QUOTES) : ' ';
             $result[] = $resultItem;
         }
 
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/helpers/generic-grid.js b/bundles/AdminBundle/Resources/public/js/pimcore/helpers/generic-grid.js
index ac4d60f5669..a237def5f9b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/helpers/generic-grid.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/helpers/generic-grid.js
@@ -138,5 +138,5 @@ pimcore.helpers.grid.buildDefaultPagingToolbar = function (store, options) {
 };
 
 pimcore.helpers.grid.getTranslationColumnRenderer = function (value, metaData, record, rowIndex, colIndex, store) {
-    return t(value);
+    return Ext.util.Format.htmlEncode(t(value));
 };
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js
index a31c90d4ce6..390f56a2e0e 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/collectionsPanel.js
@@ -116,8 +116,10 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
         });
 
         gridColumns.push({text: t("group_id"), flex: 60, sortable: true, dataIndex: 'groupId', filter: 'string'});
-        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'groupName', filter: 'string'});
-        gridColumns.push({text: t("description"), flex: 200, sortable: true, dataIndex: 'groupDescription', filter: 'string'});
+        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'groupName', filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
+        gridColumns.push({text: t("description"), flex: 200, sortable: true, dataIndex: 'groupDescription', filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
 
         gridColumns.push({text: t('sorter'), width: 150, sortable: true, dataIndex: 'sorter',
             tooltip: t("classificationstore_tooltip_sorter"),
@@ -264,8 +266,10 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
 
         //gridColumns.push({text: t("store"), flex: 60, sortable: true, dataIndex: 'storeId', filter: 'string'});
         gridColumns.push({text: "ID", flex: 60, sortable: true, dataIndex: 'id', filter: 'string'});
-        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({}), filter: 'string'});
-        gridColumns.push({text: t("description"), flex: 300, sortable: true, dataIndex: 'description', editor: new Ext.form.TextField({}), filter: 'string'});
+        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
+        gridColumns.push({text: t("description"), flex: 300, sortable: true, dataIndex: 'description', editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
 
         var dateRenderer =  function(d) {
             if (d !== undefined) {
@@ -359,7 +363,7 @@ pimcore.object.classificationstore.collectionsPanel = Class.create({
                     if (selected.length > 0) {
                         var record = selected[0];
                         var collectionId = record.data.id;
-                        var collectionName = record.data.name;
+                        var collectionName = Ext.util.Format.htmlEncode(record.data.name);
 
                         this.collectionId = collectionId;
 
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js
index f8551e53b6e..77b715c8b24 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/groupsPanel.js
@@ -119,8 +119,10 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
 
 
         gridColumns.push({text: t("key_id"), flex: 60, sortable: true, dataIndex: 'keyId', filter: 'string'});
-        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'keyName', filter: 'string'});
-        gridColumns.push({text: t("description"), flex: 200, sortable: true, dataIndex: 'keyDescription', filter: 'string'});
+        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'keyName', filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
+        gridColumns.push({text: t("description"), flex: 200, sortable: true, dataIndex: 'keyDescription', filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
 
         gridColumns.push(mandatoryCheck);
         gridColumns.push({text: t('sorter'), width: 150, sortable: true, dataIndex: 'sorter',
@@ -269,8 +271,10 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
         //gridColumns.push({text: t("store"), width: 60, sortable: true, dataIndex: 'storeId', filter: 'string'});
         gridColumns.push({text: "ID", width: 60, sortable: true, dataIndex: 'id', filter: 'string'});
         gridColumns.push({text: t("parent_id"), width: 160, sortable: true, dataIndex: 'parentId', hidden: true, editor: new Ext.form.TextField({})});
-        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({}), filter: 'string'});
-        gridColumns.push({text: t("description"), flex: 300, sortable: true, dataIndex: 'description', editor: new Ext.form.TextField({}), filter: 'string'});
+        gridColumns.push({text: t("name"), flex: 200, sortable: true, dataIndex: 'name', editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
+        gridColumns.push({text: t("description"), flex: 300, sortable: true, dataIndex: 'description', editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
 
         var dateRenderer =  function(d) {
             if (d !== undefined) {
@@ -365,7 +369,7 @@ pimcore.object.classificationstore.groupsPanel = Class.create({
                     if (selected.length > 0) {
                         var record = selected[0];
                         var groupId = record.data.id;
-                        var groupName = record.data.name;
+                        var groupName = Ext.util.Format.htmlEncode(record.data.name);
 
                         this.groupId = groupId;
 
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js
index 5bbd3b4038f..9f4242b9f2b 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/propertiesPanel.js
@@ -125,13 +125,16 @@ pimcore.object.classificationstore.propertiespanel = Class.create({
                 sortable: true,
                 dataIndex: 'name',
                 filter: 'string',
-                editor: new Ext.form.TextField({})
+                editor: new Ext.form.TextField({}),
+                renderer: Ext.util.Format.htmlEncode
             }
 
         );
 
-        gridColumns.push({text: t("title"), width: 200, sortable: false, dataIndex: 'title',editor: new Ext.form.TextField({}), filter: 'string'});
-        gridColumns.push({text: t("description"), width: 300, sortable: true, dataIndex: 'description',editor: new Ext.form.TextField({}), filter: 'string'});
+        gridColumns.push({text: t("title"), width: 200, sortable: false, dataIndex: 'title',editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
+        gridColumns.push({text: t("description"), width: 300, sortable: true, dataIndex: 'description',editor: new Ext.form.TextField({}), filter: 'string',
+            renderer: Ext.util.Format.htmlEncode});
         gridColumns.push({text: t("definition"), width: 300, sortable: true, hidden: true, dataIndex: 'definition',editor: new Ext.form.TextField({})});
         gridColumns.push({text: t("type"), width: 150, sortable: true, dataIndex: 'type', filter: 'string',
             editor: new Ext.form.ComboBox({
@@ -285,7 +288,7 @@ pimcore.object.classificationstore.propertiespanel = Class.create({
         var definition = data.data.definition;
         if (definition) {
             definition = Ext.util.JSON.decode(definition);
-            definition.name = data.data.name;
+            definition.name = Ext.util.Format.htmlEncode(data.data.name);
         } else {
             definition = {
                 name: data.data.name
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/storeTree.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/storeTree.js
index 384a1081892..f64b6e7ebe8 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/storeTree.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/classificationstore/storeTree.js
@@ -166,8 +166,8 @@ pimcore.object.classificationstore.storeTree = Class.create({
                 "click": function() {
                     var data = {
                         id: record.data.id,
-                        name: record.data.text,
-                        description: record.data.description
+                        name: Ext.util.Format.htmlDecode(record.data.text),
+                        description: Ext.util.Format.htmlDecode(record.data.description)
                     }
                     var panel = new pimcore.object.classificationstore.storeConfiguration(data, this.applyConfig.bind(this));
                     panel.show();