Skip to content

Commit

Permalink
Sanitize site name everywhere
Browse files Browse the repository at this point in the history
  • Loading branch information
aembler committed Nov 9, 2023
1 parent df119c5 commit 07b4337
Show file tree
Hide file tree
Showing 15 changed files with 17 additions and 17 deletions.
4 changes: 2 additions & 2 deletions concrete/attributes/site/controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ public function form()
}
$sites = array('' => t('** Select Site'));
foreach($this->app->make('site')->getList() as $site) {
$sites[$site->getSiteID()] = $site->getSiteName();
$sites[$site->getSiteID()] = h($site->getSiteName());
}
$form = $this->app->make('helper/form');
print $form->select($this->field('siteID'), $sites, $siteID);
Expand All @@ -66,7 +66,7 @@ public function getDisplayValue()
{
$site = $this->getValue();
if (is_object($site)) {
return $site->getSiteName();
return h($site->getSiteName());
}
}

Expand Down
2 changes: 1 addition & 1 deletion concrete/authentication/concrete/controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,7 @@ private function passwordUpgrade(?UserInfo $userInfo, ErrorList $error, bool $is
}
$mh->from($fromEmail, $fromName);
}
$mh->addParameter('siteName', tc('SiteName', $this->app->make('site')->getSite()->getSiteName()));
$mh->addParameter('siteName', h(tc('SiteName', $this->app->make('site')->getSite()->getSiteName())));
$mh->load('forgot_password');
$mh->setIsThrowOnFailure(true);
try {
Expand Down
4 changes: 2 additions & 2 deletions concrete/blocks/top_navigation_bar/controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ public function getRequiredFeatures(): array
public function add()
{
$site = $this->app->make('site')->getSite();
$brandingText = $site->getSiteName();
$brandingText = h($site->getSiteName());
/** @var Detector $detector */
$detector = $this->app->make('multilingual/detector');

Expand Down Expand Up @@ -250,7 +250,7 @@ public function view()
}
if ($this->includeBrandText && !$this->brandingText) {
$site = $this->app->make('site')->getSite();
$brandingText = $site->getSiteName();
$brandingText = h($site->getSiteName());
$this->set('brandingText', $brandingText);
}
if ($this->brandingTransparentLogo) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ protected function setCurrentSite(?Site $site): void
$menu = null;
} else {
$breadcrumb = $this->app->make(DashboardBreadcrumbFactory::class)->getBreadcrumb($this->getPageObject());
$breadcrumb->add(new Item('', $site->getSiteName()));
$breadcrumb->add(new Item('', h($site->getSiteName())));
$this->setBreadcrumb($breadcrumb);
$menu = new Element('dashboard/system/multisite/site/menu', '', $this->getPageObject(), ['site' => $site]);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ protected function getSiteNameForPage(Page $page): string
}
$siteName = $this->getSiteNameForLocale($locale);
} else {
$siteName = $this->app->make('site')->getSite()->getSiteName();
$siteName = h($this->app->make('site')->getSite()->getSiteName());
}

return $siteName;
Expand Down
2 changes: 1 addition & 1 deletion concrete/controllers/single_page/register.php
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ public function do_register()
'display');
}
$mh->addParameter('attribs', $attribValues);
$mh->addParameter('siteName', tc('SiteName', \Core::make('site')->getSite()->getSiteName()));
$mh->addParameter('siteName', h(tc('SiteName', \Core::make('site')->getSite()->getSiteName())));

if ($config->get('concrete.email.register_notification.address')) {
if ($config->get('concrete.email.register_notification.name')) {
Expand Down
2 changes: 1 addition & 1 deletion concrete/elements/header_required.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
}
$seo->addTitleSegmentBefore($pageTitle);
}
$seo->setSiteName(tc('SiteName', $site->getSiteName()));
$seo->setSiteName(h(tc('SiteName', $site->getSiteName())));
$seo->setTitleFormat($appConfig->get('concrete.seo.title_format'));
$seo->setTitleSegmentSeparator($appConfig->get('concrete.seo.title_segment_separator'));
$pageTitle = $seo->getTitle();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@
<?php foreach ($sites as $site) { ?>
<tr>
<td>
<?php echo $site->getSiteName() ?>
<?php echo h($site->getSiteName()); ?>
</td>

<td style="white-space: nowrap" class="text-center">
Expand Down
2 changes: 1 addition & 1 deletion concrete/single_pages/login.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
$site = app('site')->getSite() ?? null;
$siteName = '';
if ($site) {
$siteName = $site->getSiteName();
$siteName = h($site->getSiteName());
}

?>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ public function __construct(Site $site)

public function getEntryGroupLabel()
{
return $this->site->getSiteName();
return h($this->site->getSiteName());
}

public function getEntryGroupIdentifier()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ public function __construct(Site $site)

public function getLabel()
{
return $this->site->getSiteName();
return h($this->site->getSiteName());
}

public function getSiteTreeID()
Expand Down
2 changes: 1 addition & 1 deletion concrete/src/Entity/Attribute/Value/Value/SiteValue.php
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ public function getValue()
public function __toString()
{
if (is_object($this->site)) {
return (string) $this->site->getSiteName();
return (string) h($this->site->getSiteName());
}
return '';
}
Expand Down
2 changes: 1 addition & 1 deletion concrete/src/Entity/Site/SiteTree.php
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public function getSiteType()

public function getDisplayName()
{
return $this->getLocale()->getSite()->getSiteName();
return h($this->getLocale()->getSite()->getSiteName());
}

}
2 changes: 1 addition & 1 deletion concrete/src/Form/Service/Widget/SiteSelector.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ public function selectSite($fieldName, $siteID = false, $includeCurrent = false,
foreach(\Core::make('site')->getList() as $site) {
$sp = new \Permissions($site);
if ($sp->canViewSiteInSelector()) {
$sites .= '<option ' . ($site->getSiteID() == $siteID ? 'selected' : '') . ' value="' . $site->getSiteID() . '">' . $site->getSiteName() . '</option>';
$sites .= '<option ' . ($site->getSiteID() == $siteID ? 'selected' : '') . ' value="' . $site->getSiteID() . '">' . h($site->getSiteName()) . '</option>';
}
}

Expand Down
2 changes: 1 addition & 1 deletion concrete/src/Install/InstallerOptions.php
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ public function setStartingPointHandle($value)
*/
public function getSiteName()
{
return $this->siteName;
return h($this->siteName);
}

/**
Expand Down

1 comment on commit 07b4337

@mlocati
Copy link
Contributor

@mlocati mlocati commented on 07b4337 Nov 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add h() in the views (we may use those values also somehow else, for example in CLI commands, JSON and XML exports)

Please sign in to comment.