[Custom Reports] Validate & escape CSS classes and names

pimcore · Jan 17, 2022 · dff1cb0 · dff1cb0
1 parent d8377fc
commit dff1cb0
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/bundles/AdminBundle/Controller/Reports/CustomReportController.php b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
@@ -289,13 +289,13 @@ public function getReportConfigAction(Request $request)
 
         foreach ($items as $report) {
             $reports[] = [
-                'name' => $report->getName(),
-                'niceName' => $report->getNiceName(),
-                'iconClass' => $report->getIconClass(),
-                'group' => $report->getGroup(),
-                'groupIconClass' => $report->getGroupIconClass(),
+                'name' => htmlspecialchars($report->getName()),
+                'niceName' => htmlspecialchars($report->getNiceName()),
+                'iconClass' => htmlspecialchars($report->getIconClass()),
+                'group' => htmlspecialchars($report->getGroup()),
+                'groupIconClass' => htmlspecialchars($report->getGroupIconClass()),
                 'menuShortcut' => $report->getMenuShortcut(),
-                'reportClass' => $report->getReportClass(),
+                'reportClass' => htmlspecialchars($report->getReportClass()),
             ];
         }
 

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js
@@ -894,7 +894,25 @@ pimcore.report.custom.item = Class.create({
 
     save: function () {
 
-        var m = this.getValues();
+        let m = this.getValues();
+        let error = false;
+
+        ['group', 'groupIconClass', 'iconClass', 'niceName', 'reportClass'].forEach(function (name) {
+            if(m[name].length && !m[name].match(/^[_a-zA-Z]+[_a-zA-Z0-9-\s]*$/)) {
+                error = name;
+            }
+        });
+
+        if(error !== false) {
+            Ext.Msg.show({
+                title: t("error"),
+                msg: t('class_field_name_error') + ': ' + error,
+                buttons: Ext.Msg.OK,
+                icon: Ext.MessageBox.ERROR
+            });
+
+            return;
+        }
 
         Ext.Ajax.request({
             url: Routing.generate('pimcore_admin_reports_customreport_update'),