harden output sanitizing in admin area

CHANGELOG-3.0.md

@@ -8,6 +8,8 @@
 - Fixes:
   - [CoreBundle] More robust autoloader detection.
   - [CoreBundle] Add `flex-wrap` class to pagination for responsive behaviour ([bs#23504](https://github.com/twbs/bootstrap/issues/23504)).
+  - [Admin] Sanitize extension title in admin panel.
+  - [Blocks] Sanitize block title and description in admin list view.
   - [Blocks] Strip script tags from XSLT block stylesheets.
   - [Categories] Sanitize context menu in admin category list.
   - [Extensions] Disable caching headers in `AbstractTheme` if user is logged in.

src/system/AdminModule/Resources/views/Admin/adminpanel.html.twig

@@ -10,13 +10,13 @@
         <li data-modid="{{ adminLink.id }}" class="draggable">
             {# module icon #}
             {% if getModVar('ZikulaAdminModule', 'admingraphic') == 1 %}
-            <a title="{{ adminLink.menuTextTitle }}" href="{{ adminLink.menuTextUrl }}"><i class="fa-fw {{ adminLink.adminIcon|default('fas fa-layer-group') }} fa-4x" title="{{ adminLink.menuText }}"></i></a>
+            <a title="{{ adminLink.menuTextTitle|e('html_attr') }}" href="{{ adminLink.menuTextUrl|e('html_attr') }}"><i class="fa-fw {{ adminLink.adminIcon|default('fas fa-layer-group') }} fa-4x" title="{{ adminLink.menuText|e('html_attr') }}"></i></a>
             {% endif %}
             <div>
                 {# movable icon #}
                 <span title="{% trans %}Drag and drop into a new module category{% endtrans %}" class="tooltips fas fa-arrows-alt admintabs-lock"></span>
                 {# module title #}
-                <a title="{{ adminLink.menuTextTitle }}" href="{{ adminLink.menuTextUrl }}">{{ adminLink.menuText|raw }}</a>
+                <a title="{{ adminLink.menuTextTitle|e('html_attr') }}" href="{{ adminLink.menuTextUrl|e('html_attr') }}">{{ adminLink.menuText }}</a>
                 {# dropdown with quick links #}
                 {% if adminLink.extensionMenu|default %}
                     <div class="dropdown d-inline">

src/system/AdminModule/Resources/views/AdminInterface/categories.panel.html.twig

@@ -10,7 +10,7 @@
                 <li{% if caller.category.cid == category.cid %} class="selected"{% endif %}>
                     <a href="{{ category.url }}">
                         <i class="fa-fw {% if category.icon %}{{ category.icon|e('html_attr') }}{% else %}fas fa-file{% endif %}"></i>
-                        {{ category.title|raw }}
+                        {{ category.title|safeHtml }}
                     </a>
                     {% if category.modules|length > 0 %}
                         <ul class="text-left">

src/system/AdminModule/Resources/views/AdminInterface/categories.tabs.html.twig

@@ -9,7 +9,7 @@
             <li class="nav-item dropdown droppable nowrap" data-catid="{{ category.cid }}">
                 <a href="#" class="nav-link dropdown-toggle{% if caller.category.cid == category.cid %} active{% endif %}" data-toggle="dropdown"><span class="fas fa-arrows-alt admintabs-lock"></span>
                     <span>
-                        <i class="text-muted fa-fw {% if category.icon %}{{ category.icon|e('html_attr') }}{% else %}fas fa-file{% endif %}"></i> {{ category.title }}
+                        <i class="text-muted fa-fw {% if category.icon %}{{ category.icon|e('html_attr') }}{% else %}fas fa-file{% endif %}"></i> {{ category.title|safeHtml }}
                     </span>
                 </a>
                 <ul class="dropdown-menu">
@@ -30,7 +30,7 @@
                     {% if category.modules|length > 0 %}
                         <li class="dropdown-divider"></li>
                         {% for item in category.modules %}
-                            <li class="dropdown-item"><a href="{{ item.menutexturl }}" title="{{ item.menutext|e('html_attr') }}"><i class="{{ item.icon|default('fas fa-layer-group')|raw }} fa-fw align-middle"></i> {{ item.menutext|raw }}</a></li>
+                            <li class="dropdown-item"><a href="{{ item.menutexturl }}" title="{{ item.menutext|e('html_attr') }}"><i class="{{ item.icon|default('fas fa-layer-group')|raw }} fa-fw align-middle"></i> {{ item.menutext }}</a></li>
                         {% endfor %}
                     {% endif %}
                 </ul>

src/system/AdminModule/Resources/views/AdminInterface/modules.panel.html.twig

@@ -9,7 +9,7 @@
             {% for module in adminMenu %}
                 <li{% if caller._zkModule == module.modname %} class="selected"{% endif %}>
                     <a href="{{ module.menutexturl }}" title="{{ module.menutext|e('html_attr') }}">
-                        <i class="{{ module.icon|default('fas fa-layer-group') }} fa-fw fa-lg align-middle text-info"></i> {{ module.menutext|raw }}
+                        <i class="{{ module.icon|default('fas fa-layer-group') }} fa-fw fa-lg align-middle text-info"></i> {{ module.menutext|striptags }}
                     </a>
                     {% if module.extensionMenu|default %}
                         {{ knp_menu_render(module.extensionMenu, {template: '@ZikulaMenuModule/Override/bootstrap_fontawesome.html.twig'}) }}

src/system/AdminModule/Resources/views/AdminInterface/modules.tabs.html.twig

@@ -3,7 +3,7 @@
 {% macro draw(links) %}
     {% for link in links|filter(l => l.url|default) %}
         <li class="dropdown-item">
-            <a href="{{ link.url }}" title="{{ link.text|e('html_attr') }}">{% if link.icon is defined %}<i class="fas fa-fw fa-{{ link.icon }}"></i> {% endif %}{{ link.text|raw }}</a>
+            <a href="{{ link.url }}" title="{{ link.text|e('html_attr') }}">{% if link.icon is defined %}<i class="fas fa-fw fa-{{ link.icon }}"></i> {% endif %}{{ link.text }}</a>
             {% if link.links is defined %}
                 <ul class="dropdown-toggle">{{ _self.draw(link.links) }}</ul>
             {% endif %}

src/system/BlocksModule/Resources/views/Admin/view.html.twig

@@ -43,8 +43,8 @@
             {% for block in blocks %}
                 <tr>
                     <td headers="hBlockId">{{ block.bid }}</td>
-                    <td headers="hBlockTitle">{{ block.title|safeHtml }}</td>
-                    <td headers="hBlockDescription">{{ block.description|safeHtml }}</td>
+                    <td headers="hBlockTitle">{{ block.title }}</td>
+                    <td headers="hBlockDescription">{{ block.description }}</td>
                     <td headers="hBlockModule">{{ block.module.name }}</td>
                     <td headers="hBlockType">{{ block.blocktype }}</td>
                     <td headers="hBlockPositions">