From dff1cb0c466abcd55f1268934de3ed937b7436a7 Mon Sep 17 00:00:00 2001
From: Bernhard Rusch <bernhard.rusch@elements.at>
Date: Mon, 17 Jan 2022 15:17:30 +0100
Subject: [PATCH] [Custom Reports] Validate & escape CSS classes and names

---
 .../Reports/CustomReportController.php        | 12 +++++------
 .../public/js/pimcore/report/custom/item.js   | 20 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/bundles/AdminBundle/Controller/Reports/CustomReportController.php b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
index 1f820d845b9..d72c3d04dab 100644
--- a/bundles/AdminBundle/Controller/Reports/CustomReportController.php
+++ b/bundles/AdminBundle/Controller/Reports/CustomReportController.php
@@ -289,13 +289,13 @@ public function getReportConfigAction(Request $request)
 
         foreach ($items as $report) {
             $reports[] = [
-                'name' => $report->getName(),
-                'niceName' => $report->getNiceName(),
-                'iconClass' => $report->getIconClass(),
-                'group' => $report->getGroup(),
-                'groupIconClass' => $report->getGroupIconClass(),
+                'name' => htmlspecialchars($report->getName()),
+                'niceName' => htmlspecialchars($report->getNiceName()),
+                'iconClass' => htmlspecialchars($report->getIconClass()),
+                'group' => htmlspecialchars($report->getGroup()),
+                'groupIconClass' => htmlspecialchars($report->getGroupIconClass()),
                 'menuShortcut' => $report->getMenuShortcut(),
-                'reportClass' => $report->getReportClass(),
+                'reportClass' => htmlspecialchars($report->getReportClass()),
             ];
         }
 
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js
index 877db2a440b..52e6db1c45a 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/report/custom/item.js
@@ -894,7 +894,25 @@ pimcore.report.custom.item = Class.create({
 
     save: function () {
 
-        var m = this.getValues();
+        let m = this.getValues();
+        let error = false;
+
+        ['group', 'groupIconClass', 'iconClass', 'niceName', 'reportClass'].forEach(function (name) {
+            if(m[name].length && !m[name].match(/^[_a-zA-Z]+[_a-zA-Z0-9-\s]*$/)) {
+                error = name;
+            }
+        });
+
+        if(error !== false) {
+            Ext.Msg.show({
+                title: t("error"),
+                msg: t('class_field_name_error') + ': ' + error,
+                buttons: Ext.Msg.OK,
+                icon: Ext.MessageBox.ERROR
+            });
+
+            return;
+        }
 
         Ext.Ajax.request({
             url: Routing.generate('pimcore_admin_reports_customreport_update'),