Properly escape output used in javascript

netgen · Dec 20, 2021 · 59daf9a · 59daf9a
1 parent 7b497c8
commit 59daf9a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/bundle/Controller/Admin/FieldController.php b/bundle/Controller/Admin/FieldController.php
@@ -111,8 +111,8 @@ private function filterTags(array $tags, $subTreeLimit, $hideRootTag)
 
             $data[] = [
                 'parent_id' => $tag->parentTagId,
-                'parent_name' => !empty($parentTagKeywords) ? array_values($parentTagKeywords)[0] : '',
-                'name' => array_values($tagKeywords)[0],
+                'parent_name' => !empty($parentTagKeywords) ? $this->escape(array_values($parentTagKeywords)[0]) : '',
+                'name' => $this->escape(array_values($tagKeywords)[0]),
                 'id' => $tag->id,
                 'main_tag_id' => $tag->mainTagId,
                 'locale' => array_keys($tagKeywords)[0],
@@ -121,4 +121,9 @@ private function filterTags(array $tags, $subTreeLimit, $hideRootTag)
 
         return $data;
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }
diff --git a/bundle/Controller/Admin/TreeController.php b/bundle/Controller/Admin/TreeController.php
@@ -152,7 +152,7 @@ protected function getTagTreeData(Tag $tag, $isRoot = false)
         return [
             'id' => $tag->id,
             'parent' => $isRoot ? '#' : $tag->parentTagId,
-            'text' => $synonymCount > 0 ? $tag->keyword . ' (+' . $synonymCount . ')' : $tag->keyword,
+            'text' => $synonymCount > 0 ? $this->escape($tag->keyword) . ' (+' . $synonymCount . ')' : $this->escape($tag->keyword),
             'children' => $this->tagsService->getTagChildrenCount($tag) > 0,
             'a_attr' => [
                 'href' => str_replace(':tagId', $tag->id, $this->treeLinks['show_tag']),
@@ -197,4 +197,9 @@ protected function getTagTreeData(Tag $tag, $isRoot = false)
             ],
         ];
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }
diff --git a/bundle/Form/Type/FieldType/FieldValueTransformer.php b/bundle/Form/Type/FieldType/FieldValueTransformer.php
@@ -47,7 +47,7 @@ public function transform($value)
 
             $ids[] = $tag->id;
             $parentIds[] = $tag->parentTagId;
-            $keywords[] = $tagKeyword !== null ? $tagKeyword : $mainKeyword;
+            $keywords[] = $tagKeyword !== null ? $this->escape($tagKeyword) : $this->escape($mainKeyword);
             $locales[] = $tagKeyword !== null ? $this->field->languageCode : $tag->mainLanguageCode;
         }
 
@@ -89,11 +89,16 @@ public function reverseTransform($value)
 
             $hash[] = [
                 'parent_id' => (int) $parentIds[$i],
-                'keywords' => [$locales[$i] => $keywords[$i]],
+                'keywords' => [$locales[$i] => $this->escape($keywords[$i])],
                 'main_language_code' => $locales[$i],
             ];
         }
 
         return $this->fieldType->fromHash($hash);
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }