Fix potential xss in admin panel

GSadee · May 9, 2024 · d4812f9 · d4812f9
1 parent 9b7e954
commit d4812f9
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-lazy-choice-tree.js
@@ -10,6 +10,7 @@
 import 'semantic-ui-css/components/api';
 import 'semantic-ui-css/components/checkbox';
 import $ from 'jquery';
+import { sanitizeInput} from "./sylius-sanitizer";
 
 const createRootContainer = function createRootContainer() {
   return $('<div class="ui list"></div>');
@@ -81,7 +82,7 @@ $.fn.extend({
           onSuccess(response) {
             response.forEach((leafNode) => {
               leafContainerElement.append((
-                createLeafFunc(leafNode.name, leafNode.code, leafNode.hasChildren, multiple, leafNode.level)
+                createLeafFunc(sanitizeInput(leafNode.name), sanitizeInput(leafNode.code), leafNode.hasChildren, multiple, leafNode.level)
               ));
             });
             content.append(leafContainerElement);
@@ -169,7 +170,7 @@ $.fn.extend({
         const rootContainer = createRootContainer();
         response.forEach((rootNode) => {
           rootContainer.append((
-            createLeaf(rootNode.name, rootNode.code, rootNode.hasChildren, multiple, rootNode.level)
+            createLeaf(sanitizeInput(rootNode.name), sanitizeInput(rootNode.code), rootNode.hasChildren, multiple, rootNode.level)
           ));
         });
         tree.append(rootContainer);

diff --git a/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/AdminBundle/Resources/private/js/sylius-sanitizer.js
@@ -0,0 +1,5 @@
+export function sanitizeInput(input) {
+  const div = document.createElement('div');
+  div.textContent = input;
+  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
+}
diff --git a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-auto-complete.js
@@ -9,6 +9,7 @@
 
 import 'semantic-ui-css/components/dropdown';
 import $ from 'jquery';
+import { sanitizeInput } from "./sylius-sanitizer";
 
 $.fn.extend({
   autoComplete() {
@@ -37,8 +38,8 @@ $.fn.extend({
           },
           onResponse(response) {
             let results = response.map(item => ({
-              name: item[choiceName],
-              value: item[choiceValue],
+              name: sanitizeInput(item[choiceName]),
+              value: sanitizeInput(item[choiceValue]),
             }));
 
             if (!element.hasClass('multiple')) {
@@ -72,7 +73,7 @@ $.fn.extend({
           onSuccess(response) {
             response.forEach((item) => {
               menuElement.append((
-                $(`<div class="item" data-value="${item[choiceValue]}">${item[choiceName]}</div>`)
+                $(`<div class="item" data-value="${item[choiceValue]}">${sanitizeInput(item[choiceName])}</div>`)
               ));
             });
 

diff --git a/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js b/src/Sylius/Bundle/UiBundle/Resources/private/js/sylius-sanitizer.js
@@ -0,0 +1,5 @@
+export function sanitizeInput(input) {
+  const div = document.createElement('div');
+  div.textContent = input;
+  return div.innerHTML; // Converts text content to plain HTML, stripping any scripts
+}