From 59daf9a7a41dd1028085ef706204109759005617 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edi=20Modri=C4=87?= Date: Mon, 20 Dec 2021 13:38:14 +0100 Subject: [PATCH] Properly escape output used in javascript --- bundle/Controller/Admin/FieldController.php | 9 +++++++-- bundle/Controller/Admin/TreeController.php | 7 ++++++- bundle/Form/Type/FieldType/FieldValueTransformer.php | 9 +++++++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/bundle/Controller/Admin/FieldController.php b/bundle/Controller/Admin/FieldController.php index 55019a18..f707359e 100644 --- a/bundle/Controller/Admin/FieldController.php +++ b/bundle/Controller/Admin/FieldController.php @@ -111,8 +111,8 @@ private function filterTags(array $tags, $subTreeLimit, $hideRootTag) $data[] = [ 'parent_id' => $tag->parentTagId, - 'parent_name' => !empty($parentTagKeywords) ? array_values($parentTagKeywords)[0] : '', - 'name' => array_values($tagKeywords)[0], + 'parent_name' => !empty($parentTagKeywords) ? $this->escape(array_values($parentTagKeywords)[0]) : '', + 'name' => $this->escape(array_values($tagKeywords)[0]), 'id' => $tag->id, 'main_tag_id' => $tag->mainTagId, 'locale' => array_keys($tagKeywords)[0], @@ -121,4 +121,9 @@ private function filterTags(array $tags, $subTreeLimit, $hideRootTag) return $data; } + + private function escape($string): string + { + return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'); + } } diff --git a/bundle/Controller/Admin/TreeController.php b/bundle/Controller/Admin/TreeController.php index 57c6967d..92a8db9a 100644 --- a/bundle/Controller/Admin/TreeController.php +++ b/bundle/Controller/Admin/TreeController.php @@ -152,7 +152,7 @@ protected function getTagTreeData(Tag $tag, $isRoot = false) return [ 'id' => $tag->id, 'parent' => $isRoot ? '#' : $tag->parentTagId, - 'text' => $synonymCount > 0 ? $tag->keyword . ' (+' . $synonymCount . ')' : $tag->keyword, + 'text' => $synonymCount > 0 ? $this->escape($tag->keyword) . ' (+' . $synonymCount . ')' : $this->escape($tag->keyword), 'children' => $this->tagsService->getTagChildrenCount($tag) > 0, 'a_attr' => [ 'href' => str_replace(':tagId', $tag->id, $this->treeLinks['show_tag']), @@ -197,4 +197,9 @@ protected function getTagTreeData(Tag $tag, $isRoot = false) ], ]; } + + private function escape($string): string + { + return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'); + } } diff --git a/bundle/Form/Type/FieldType/FieldValueTransformer.php b/bundle/Form/Type/FieldType/FieldValueTransformer.php index 0310c891..6987c1ba 100644 --- a/bundle/Form/Type/FieldType/FieldValueTransformer.php +++ b/bundle/Form/Type/FieldType/FieldValueTransformer.php @@ -47,7 +47,7 @@ public function transform($value) $ids[] = $tag->id; $parentIds[] = $tag->parentTagId; - $keywords[] = $tagKeyword !== null ? $tagKeyword : $mainKeyword; + $keywords[] = $tagKeyword !== null ? $this->escape($tagKeyword) : $this->escape($mainKeyword); $locales[] = $tagKeyword !== null ? $this->field->languageCode : $tag->mainLanguageCode; } @@ -89,11 +89,16 @@ public function reverseTransform($value) $hash[] = [ 'parent_id' => (int) $parentIds[$i], - 'keywords' => [$locales[$i] => $keywords[$i]], + 'keywords' => [$locales[$i] => $this->escape($keywords[$i])], 'main_language_code' => $locales[$i], ]; } return $this->fieldType->fromHash($hash); } + + private function escape($string): string + { + return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'); + } }