From f4050586136cb4c44e3d6042111a1b87b340df95 Mon Sep 17 00:00:00 2001
From: Christian F <christian.feldkirchner@pimcore.com>
Date: Tue, 14 Feb 2023 09:14:01 +0100
Subject: [PATCH] [Task] Improve check validity (#14301)

* set value to sanitized string if string doesn't match requirements

* sanitized string to improve validity check

* sanitized string to improve validity check

* added exception to validation
---
 .../Resources/public/js/pimcore/object/tags/urlSlug.js     | 5 ++---
 bundles/CoreBundle/Resources/translations/en.json          | 3 ++-
 models/DataObject/ClassDefinition/Data/UrlSlug.php         | 7 ++++++-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/object/tags/urlSlug.js b/bundles/AdminBundle/Resources/public/js/pimcore/object/tags/urlSlug.js
index d34216b5ab0..78965ffdc22 100644
--- a/bundles/AdminBundle/Resources/public/js/pimcore/object/tags/urlSlug.js
+++ b/bundles/AdminBundle/Resources/public/js/pimcore/object/tags/urlSlug.js
@@ -137,8 +137,6 @@ pimcore.object.tags.urlSlug = Class.create(pimcore.object.tags.abstract, {
             value: siteData['slug'],
             componentCls: this.getWrapperClassNames(),
             validator: function(value) {
-
-
                 if (value) {
                     if (!value.startsWith('/') || value.length < 2) {
                         return false;
@@ -153,9 +151,10 @@ pimcore.object.tags.urlSlug = Class.create(pimcore.object.tags.abstract, {
                         if  (part.length == 0) {
                             return false;
                         }
+
                         sanitizedPart = part.replace(/[#\?\*\:\\\\<\>\|"%&@=;]/g, '-');
                         if (sanitizedPart != part) {
-                            return false;
+                            return t('url-slug-invalid-chars');
                         }
                     }
                 }
diff --git a/bundles/CoreBundle/Resources/translations/en.json b/bundles/CoreBundle/Resources/translations/en.json
index b4b10dde3d7..642b949fa0c 100644
--- a/bundles/CoreBundle/Resources/translations/en.json
+++ b/bundles/CoreBundle/Resources/translations/en.json
@@ -999,5 +999,6 @@
     "no_further_classes_allowed": "No further classes allowed",
     "address_not_found": "The entered address was not found",
     "possible_causes": "Possible causes",
-    "postal_code_format_error": "Postal code format, e.g. use \"5020 Salzburg, Söllheimer Straße 16\" instead of \"A-5020 Salzburg, Söllheimer Straße 16\""
+    "postal_code_format_error": "Postal code format, e.g. use \"5020 Salzburg, Söllheimer Straße 16\" instead of \"A-5020 Salzburg, Söllheimer Straße 16\"",
+    "url-slug-invalid-chars": "Provided invalid character in URL slug"
 }
diff --git a/models/DataObject/ClassDefinition/Data/UrlSlug.php b/models/DataObject/ClassDefinition/Data/UrlSlug.php
index 42a802e4de8..c650e7204d0 100644
--- a/models/DataObject/ClassDefinition/Data/UrlSlug.php
+++ b/models/DataObject/ClassDefinition/Data/UrlSlug.php
@@ -177,10 +177,15 @@ public function checkValidity($data, $omitMandatoryCheck = false, $params = [])
         if (is_array($data)) {
             /** @var Model\DataObject\Data\UrlSlug $item */
             foreach ($data as $item) {
-                $slug = $item->getSlug();
+                $slug = htmlspecialchars($item->getSlug());
                 $foundSlug = true;
 
                 if (strlen($slug) > 0) {
+                    $slugToCompare = preg_replace('/[#\?\*\:\\\\<\>\|"%&@=;]/', '-', $item->getSlug());
+                    if($item->getSlug() !== $slugToCompare){
+                        throw new Model\Element\ValidationException('Slug contains forbidden characters!');
+                    }
+
                     $document = Model\Document::getByPath($slug);
                     if ($document) {
                         throw new Model\Element\ValidationException('Slug must be unique. Found conflict with document path "' . $slug . '"');