Opt-out iframe customiser: accept " character in fontFamily (matomo-o…

…rg#12494)
InfinityVoid · Oct 11, 2018 · 72480f7 · 72480f7
1 parent 0a208dd
commit 72480f7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/plugins/CoreAdminHome/OptOutManager.php b/plugins/CoreAdminHome/OptOutManager.php
@@ -219,10 +219,10 @@ public function getOptOutView()
 
     private function optOutStyling()
     {
-        $cssfontsize = Common::getRequestVar('fontSize', false, 'string');
-        $cssfontcolour = Common::getRequestVar('fontColor', false, 'string');
-        $cssfontfamily = Common::getRequestVar('fontFamily', false, 'string');
-        $cssbackgroundcolor = Common::getRequestVar('backgroundColor', false, 'string');
+        $cssfontsize = Common::unsanitizeInputValue(Common::getRequestVar('fontSize', false, 'string'));
+        $cssfontcolour = Common::unsanitizeInputValue(Common::getRequestVar('fontColor', false, 'string'));
+        $cssfontfamily = Common::unsanitizeInputValue(Common::getRequestVar('fontFamily', false, 'string'));
+        $cssbackgroundcolor = Common::unsanitizeInputValue(Common::getRequestVar('backgroundColor', false, 'string'));
         $cssbody = 'body { ';
 
         $hexstrings = array(
@@ -241,7 +241,7 @@ private function optOutStyling()
             throw new \Exception("The URL parameter fontSize value of '$cssfontsize' is not valid. Expected value is for example '15pt', '1.2em' or '13px'.\n");
         }
 
-        if ($cssfontfamily && (preg_match("/^[a-zA-Z-\ ,]+$/", $cssfontfamily))) {
+        if ($cssfontfamily && (preg_match('/^[a-zA-Z-\ ,\'"]+$/', $cssfontfamily))) {
             $cssbody .= 'font-family: ' . $cssfontfamily . '; ';
         } else if ($cssfontfamily) {
             throw new \Exception("The URL parameter fontFamily value of '$cssfontfamily' is not valid. Expected value is for example 'sans-serif' or 'Monaco, monospace'.\n");

diff --git a/plugins/PrivacyManager/angularjs/opt-out-customizer/opt-out-customizer.controller.js b/plugins/PrivacyManager/angularjs/opt-out-customizer/opt-out-customizer.controller.js
@@ -29,7 +29,7 @@
         };
         vm.onUpdate = function () {
             if (vm.piwikurl) {
-                var value = vm.piwikurl + "index.php?module=CoreAdminHome&action=optOut&language=" + vm.language + "&backgroundColor=" + vm.backgroundColor.substr(1) + "&fontColor=" + vm.fontColor.substr(1) + "&fontSize=" + vm.fontSizeWithUnit + "&fontFamily=" + vm.fontFamily;
+                var value = vm.piwikurl + "index.php?module=CoreAdminHome&action=optOut&language=" + vm.language + "&backgroundColor=" + vm.backgroundColor.substr(1) + "&fontColor=" + vm.fontColor.substr(1) + "&fontSize=" + vm.fontSizeWithUnit + "&fontFamily=" + encodeURIComponent(vm.fontFamily);
                 var isAnimationAlreadyRunning = $('.optOutCustomizer pre').queue('fx').length > 0;
                 if (value !== vm.iframeUrl && !isAnimationAlreadyRunning) {
                     $('.optOutCustomizer pre').effect("highlight", {}, 1500);