fixed xss in quantity values (#14937)

pimcore · Apr 17, 2023 · e3562bf · e3562bf
1 parent 7821f65
commit e3562bf
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/quantityvalue/unitsettings.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/quantityvalue/unitsettings.js
@@ -77,7 +77,6 @@ pimcore.object.quantityValue.unitsettings = Class.create({
                     type: 'json',
                     rootProperty: 'data'
                 }
-
             },
             // disable client pagination, default: 25
             pageSize: 0,
@@ -106,9 +105,9 @@ pimcore.object.quantityValue.unitsettings = Class.create({
 
         var typesColumns = [
             {flex: 1, dataIndex: 'id', text: t("id"), filter: 'string'},
-            {flex: 1, dataIndex: 'abbreviation', text: t("abbreviation"), editor: new Ext.form.TextField({}), filter: 'string'},
-            {flex: 2, dataIndex: 'longname', text: t("longname"), editor: new Ext.form.TextField({}), filter: 'string'},
-            {flex: 1, dataIndex: 'group', text: t("group"), editor: new Ext.form.TextField({}), filter: 'string', hidden: true},
+            {flex: 1, dataIndex: 'abbreviation', text: t("abbreviation"), editor: new Ext.form.TextField({listeners: {change: this.sanitizeTextColumn}}), filter: 'string'},
+            {flex: 2, dataIndex: 'longname', text: t("longname"), editor: new Ext.form.TextField({listeners: {change: this.sanitizeTextColumn}}), filter: 'string'},
+            {flex: 1, dataIndex: 'group', text: t("group"), editor: new Ext.form.TextField({listeners: {change: this.sanitizeTextColumn}}), filter: 'string', hidden: true},
             {flex: 1, dataIndex: 'baseunit', text: t("baseunit"), editor: baseUnitEditor, renderer: function(value){
                 if(!value) {
                     return '('+t('empty')+')';
@@ -122,8 +121,8 @@ pimcore.object.quantityValue.unitsettings = Class.create({
             }},
             {flex: 1, dataIndex: 'factor', text: t("conversionFactor"), editor: new Ext.form.NumberField({decimalPrecision: 10}), filter: 'numeric'},
             {flex: 1, dataIndex: 'conversionOffset', text: t("conversionOffset"), editor: new Ext.form.NumberField({decimalPrecision: 10}), filter: 'numeric'},
-            {flex: 1, dataIndex: 'reference', text: t("reference"), editor: new Ext.form.TextField({}), hidden: true, filter: 'string'},
-            {flex: 1, dataIndex: 'converter', text: t("converter_service"), editor: new Ext.form.TextField({}), filter: 'string'}
+            {flex: 1, dataIndex: 'reference', text: t("reference"), editor: new Ext.form.TextField({listeners: {change: this.sanitizeTextColumn}}), hidden: true, filter: 'string'},
+            {flex: 1, dataIndex: 'converter', text: t("converter_service"), editor: new Ext.form.TextField({listeners: {change: this.sanitizeTextColumn}}), filter: 'string'}
         ];
 
         typesColumns.push({
@@ -280,5 +279,12 @@ pimcore.object.quantityValue.unitsettings = Class.create({
         }
         var rec = selections.getAt(0);
         this.grid.store.remove(rec);
+    },
+
+    sanitizeTextColumn: function (textField) {
+        if(textField.getValue()){
+            const sanitizedValue = textField.getValue().replace(/[<>"'!?/\\&%$();]/gi, '');
+            textField.setValue(sanitizedValue);
+        }
     }
 });
diff --git a/models/DataObject/QuantityValue/Unit.php b/models/DataObject/QuantityValue/Unit.php
@@ -209,7 +209,7 @@ public function __toString()
      */
     public function setAbbreviation($abbreviation)
     {
-        $this->abbreviation = $abbreviation;
+        $this->abbreviation = htmlspecialchars($abbreviation);
 
         return $this;
     }
@@ -276,7 +276,7 @@ public function getFactor()
      */
     public function setGroup($group)
     {
-        $this->group = $group;
+        $this->group = htmlspecialchars($group);
 
         return $this;
     }
@@ -316,7 +316,7 @@ public function getId()
      */
     public function setLongname($longname)
     {
-        $this->longname = $longname;
+        $this->longname = htmlspecialchars($longname);
 
         return $this;
     }
@@ -344,7 +344,7 @@ public function getReference()
      */
     public function setReference($reference)
     {
-        $this->reference = $reference;
+        $this->reference = htmlspecialchars($reference);
 
         return $this;
     }
@@ -384,7 +384,7 @@ public function getConverter()
      */
     public function setConverter($converter)
     {
-        $this->converter = (string)$converter;
+        $this->converter = htmlspecialchars((string)$converter);
 
         return $this;
     }