From dfaf78b26fb77990267c0cc05b9fcb9f8de7b66d Mon Sep 17 00:00:00 2001
From: Bernhard Rusch <bernhard.rusch@elements.at>
Date: Mon, 17 Jan 2022 15:30:56 +0100
Subject: [PATCH] [Ecommerce] Validate pricing rule names

---
 .../Controller/PricingController.php          |  2 +-
 .../public/js/pricing/config/panel.js         | 38 ++++++++++---------
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/bundles/EcommerceFrameworkBundle/Controller/PricingController.php b/bundles/EcommerceFrameworkBundle/Controller/PricingController.php
index 657e710dd10..ba9af6150c1 100644
--- a/bundles/EcommerceFrameworkBundle/Controller/PricingController.php
+++ b/bundles/EcommerceFrameworkBundle/Controller/PricingController.php
@@ -264,7 +264,7 @@ public function renameAction(Request $request)
         $ruleNewName = $request->get('name');
 
         try {
-            if ($ruleId && $ruleNewName) {
+            if ($ruleId && $ruleNewName && preg_match('/^[a-zA-Z0-9_\-]+$/', $ruleNewName)) {
                 $renameRule = Rule::getById($ruleId);
 
                 if ($renameRule->getName() != $ruleNewName) {
diff --git a/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js b/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
index 68ce3de7a0a..a34e6eac54f 100644
--- a/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
+++ b/bundles/EcommerceFrameworkBundle/Resources/public/js/pricing/config/panel.js
@@ -351,26 +351,30 @@ pimcore.bundle.EcommerceFramework.pricing.config.panel = Class.create({
 
         if (button == 'ok') {
 
-            let tree = options.tree;
+            if(value.match(/^[a-zA-Z0-9_\-]+$/)) {
+                let tree = options.tree;
 
-            Ext.Ajax.request({
-                url: Routing.generate('pimcore_ecommerceframework_pricing_rename'),
-                method: 'PUT',
-                params: {
-                    id: options.id,
-                    name: value
-                },
-                success: function (response, opts) {
+                Ext.Ajax.request({
+                    url: Routing.generate('pimcore_ecommerceframework_pricing_rename'),
+                    method: 'PUT',
+                    params: {
+                        id: options.id,
+                        name: value
+                    },
+                    success: function (response, opts) {
 
-                    let responseData = Ext.decode(response.responseText);
+                        let responseData = Ext.decode(response.responseText);
 
-                    if (responseData.success) {
-                        this.refresh(this.tree.getRootNode());
-                    } else {
-                        Ext.MessageBox.alert(t('rename'), t('name_already_in_use'));
-                    }
-                }.bind(this)
-            });
+                        if (responseData.success) {
+                            this.refresh(this.tree.getRootNode());
+                        } else {
+                            Ext.MessageBox.alert(t('rename'), t('name_already_in_use'));
+                        }
+                    }.bind(this)
+                });
+            } else {
+                Ext.Msg.alert(t('add_target'), t('problem_creating_new_target'));
+            }
         }
     },