Skip to content
Permalink
Browse files Browse the repository at this point in the history
[SECURITY] Ensure content element subheader is HTML encoded
  • Loading branch information
ohader authored and benjaminkott committed Apr 23, 2021
1 parent 36f60ba commit de3a568
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 13 deletions.
Expand Up @@ -4,9 +4,9 @@
<f:if condition="{item.data.nav_title}">
<div>{item.data.nav_title}</div>
</f:if>
<h{item.data.header_layout} class="carousel-item-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.header}</f:format.htmlentitiesDecode></h{item.data.header_layout}>
<h{item.data.header_layout} class="carousel-item-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.header}</f:format.htmlspecialchars></h{item.data.header_layout}>
<f:if condition="{item.data.subheader}">
<h{item.data.subheader_layout} class="carousel-item-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.subheader}</f:format.htmlentitiesDecode></h{item.data.subheader_layout}>
<h{item.data.subheader_layout} class="carousel-item-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.subheader}</f:format.htmlspecialchars></h{item.data.subheader_layout}>
</f:if>
<f:if condition="{item.data.bodytext}">
<div class="carousel-item-bodytext">
Expand Down
Expand Up @@ -3,9 +3,9 @@
<div class="valign" {f:if(condition: item.data.text_color,then:'style="color: {item.data.text_color};"')}>
<div class="vcontainer">
<div class="carousel-text-inner">
<h{item.data.header_layout} class="carousel-header awesome{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.header}</f:format.htmlentitiesDecode></h{item.data.header_layout}>
<h{item.data.header_layout} class="carousel-header awesome{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.header}</f:format.htmlspecialchars></h{item.data.header_layout}>
<f:if condition="{item.data.subheader}">
<h{item.data.subheader_layout} class="carousel-subheader awesome{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.subheader}</f:format.htmlentitiesDecode></h{item.data.subheader_layout}>
<h{item.data.subheader_layout} class="carousel-subheader awesome{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.subheader}</f:format.htmlspecialchars></h{item.data.subheader_layout}>
</f:if>
</div>
</div>
Expand Down
Expand Up @@ -4,9 +4,9 @@
<f:if condition="{item.data.nav_title}">
<div>{item.data.nav_title}</div>
</f:if>
<h{item.data.header_layout} class="carousel-item-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.header}</f:format.htmlentitiesDecode></h{item.data.header_layout}>
<h{item.data.header_layout} class="carousel-item-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.header}</f:format.htmlspecialchars></h{item.data.header_layout}>
<f:if condition="{item.data.subheader}">
<h{item.data.subheader_layout} class="carousel-item-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.subheader}</f:format.htmlentitiesDecode></h{item.data.subheader_layout}>
<h{item.data.subheader_layout} class="carousel-item-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.subheader}</f:format.htmlspecialchars></h{item.data.subheader_layout}>
</f:if>
<f:if condition="{item.data.bodytext}">
<div class="carousel-item-bodytext">
Expand Down
Expand Up @@ -2,9 +2,9 @@
<f:link.typolink parameter="{item.data.link}" additionalAttributes="{draggable:'false'}">
<div class="valign">
<div class="carousel-text vcontainer" {f:if(condition: item.data.text_color,then: 'style="color: {item.data.text_color};"')}>
<h{item.data.header_layout} class="carousel-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.header}</f:format.htmlentitiesDecode></h{item.data.header_layout}>
<h{item.data.header_layout} class="carousel-header{f:if(condition: item.data.header_class, then: ' {item.data.header_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.header}</f:format.htmlspecialchars></h{item.data.header_layout}>
<f:if condition="{item.data.subheader}">
<h{item.data.subheader_layout} class="carousel-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlentitiesDecode>{item.data.subheader}</f:format.htmlentitiesDecode></h{item.data.subheader_layout}>
<h{item.data.subheader_layout} class="carousel-subheader{f:if(condition: item.data.subheader_class, then: ' {item.data.subheader_class}')}{f:if(condition: item.data.header_position, then: ' text-{item.data.header_position}')}"><f:format.htmlspecialchars doubleEncode="false">{item.data.subheader}</f:format.htmlspecialchars></h{item.data.subheader_layout}>
</f:if>
<f:format.html>{item.data.bodytext}</f:format.html>
</div>
Expand Down
10 changes: 5 additions & 5 deletions Resources/Private/Partials/ContentElements/Header/SubHeader.html
Expand Up @@ -3,27 +3,27 @@
<f:switch expression="{layout}">
<f:case value="1">
<h2 class="{class} {positionClass}">
<span><f:format.htmlentitiesDecode>{subheader}</f:format.htmlentitiesDecode></span>
<span><f:format.htmlspecialchars doubleEncode="false">{subheader}</f:format.htmlspecialchars></span>
</h2>
</f:case>
<f:case value="2">
<h3 class="{class} {positionClass}">
<span><f:format.htmlentitiesDecode>{subheader}</f:format.htmlentitiesDecode></span>
<span><f:format.htmlspecialchars doubleEncode="false">{subheader}</f:format.htmlspecialchars></span>
</h3>
</f:case>
<f:case value="3">
<h4 class="{class} {positionClass}">
<span><f:format.htmlentitiesDecode>{subheader}</f:format.htmlentitiesDecode></span>
<span><f:format.htmlspecialchars doubleEncode="false">{subheader}</f:format.htmlspecialchars></span>
</h4>
</f:case>
<f:case value="4">
<h5 class="{class} {positionClass}">
<span><f:format.htmlentitiesDecode>{subheader}</f:format.htmlentitiesDecode></span>
<span><f:format.htmlspecialchars doubleEncode="false">{subheader}</f:format.htmlspecialchars></span>
</h5>
</f:case>
<f:case value="5">
<h6 class="{class} {positionClass}">
<span><f:format.htmlentitiesDecode>{subheader}</f:format.htmlentitiesDecode></span>
<span><f:format.htmlspecialchars doubleEncode="false">{subheader}</f:format.htmlspecialchars></span>
</h6>
</f:case>
<f:defaultCase>
Expand Down

0 comments on commit de3a568

Please sign in to comment.