Merge pull request #11765 from concretecms/backport-security-fixes-11…

…0923 Backport security fixes for 8.5
concretecms · Nov 10, 2023 · 5b93470 · 5b93470
2 parents eb803ab + c770ca0
commit 5b93470
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 38 deletions.
diff --git a/concrete/controllers/dialog/area/layout/presets.php b/concrete/controllers/dialog/area/layout/presets.php
@@ -32,7 +32,7 @@ public function view($arLayoutID)
         $presets = array();
         $presets['-1'] = t('** New');
         foreach ($presetlist as $preset) {
-            $presets[$preset->getAreaLayoutPresetID()] = $preset->getAreaLayoutPresetName();
+            $presets[$preset->getAreaLayoutPresetID()] = h($preset->getAreaLayoutPresetName());
         }
 
         $this->set('arLayout', $arLayout);
@@ -64,6 +64,7 @@ public function getPresetData($cID, $arLayoutPresetID)
     public function submit($arLayoutID)
     {
         if ($this->validateAction()) {
+            $existingPreset = null;
             $arLayout = AreaLayout::getByID($arLayoutID);
             if (!is_object($arLayout)) {
                 throw new Exception(t('Invalid layout object.'));

diff --git a/concrete/controllers/dialog/event/delete.php b/concrete/controllers/dialog/event/delete.php
@@ -38,42 +38,47 @@ public function __construct()
 
     public function submit()
     {
-        $event = $this->eventService->getByID($_REQUEST['eventID'], EventService::EVENT_VERSION_RECENT);
-        $e = \Core::make('error');
-        if (!$event) {
-            $e->add(t('Invalid event.'));
-        }
-        if (!$this->canAccess()) {
-            $e->add(t('Access Denied.'));
-        }
+        if ($this->validateAction()) {
+            $event = $this->eventService->getByID($_REQUEST['eventID'], EventService::EVENT_VERSION_RECENT);
+            $e = \Core::make('error');
+            if (!$event) {
+                $e->add(t('Invalid event.'));
+            }
+            if (!$this->canAccess()) {
+                $e->add(t('Access Denied.'));
+            }
 
-        $r = new EditResponse($e);
-        $year = date('Y');
-        $month = date('m');
-        $r->setRedirectURL(
-            \URL::to(
-                $this->preferences->getPreferredViewPath(),
-                'view',
-                $event->getCalendar()->getID(),
-                $year,
-                $month
-            )
-        );
-
-        if (!$e->has()) {
-            $u = $this->app->make(User::class);
-            $pkr = new DeleteCalendarEventRequest();
-            $pkr->setCalendarEventVersionID($event->getRecentVersion()->getID());
-            $pkr->setRequesterUserID($u->getUserID());
-            $response = $pkr->trigger();
-            if ($response instanceof Response) {
-                $this->flash('success', t('Event deleted successfully.'));
-            } else {
-                $this->flash('success', t('Event deletion pending. This request must be approved before the event is fully removed.'));
+            $r = new EditResponse($e);
+            $year = date('Y');
+            $month = date('m');
+            $r->setRedirectURL(
+                \URL::to(
+                    $this->preferences->getPreferredViewPath(),
+                    'view',
+                    $event->getCalendar()->getID(),
+                    $year,
+                    $month
+                )
+            );
+
+            if (!$e->has()) {
+                $u = $this->app->make(User::class);
+                $pkr = new DeleteCalendarEventRequest();
+                $pkr->setCalendarEventVersionID($event->getRecentVersion()->getID());
+                $pkr->setRequesterUserID($u->getUserID());
+                $response = $pkr->trigger();
+                if ($response instanceof Response) {
+                    $this->flash('success', t('Event deleted successfully.'));
+                } else {
+                    $this->flash(
+                        'success',
+                        t('Event deletion pending. This request must be approved before the event is fully removed.')
+                    );
+                }
             }
-        }
 
-        $r->outputJSON();
+            $r->outputJSON();
+        }
     }
 
 

diff --git a/concrete/views/dialogs/area/layout/presets/manage.php b/concrete/views/dialogs/area/layout/presets/manage.php
@@ -10,19 +10,19 @@
     <ul class="item-select-list">
     <?php foreach ($presets as $preset) {
     ?>
-        <li data-preset-row="<?=$preset->getAreaLayoutPresetID()?>"><span><?=$preset->getAreaLayoutPresetName()?>
+        <li data-preset-row="<?=$preset->getAreaLayoutPresetID()?>"><span><?=h($preset->getAreaLayoutPresetName())?>
         <a href="javascript:void(0)" class="pull-right icon-link delete-area-layout-preset" data-action="delete-area-layout-preset"><i class="fa fa-trash-o"></i></a>
         </span></li>
-    <?php 
+    <?php
 }
     ?>
     </ul>
 
-<?php 
+<?php
 } else {
     ?>
     <p><?=t('You have no presets.')?></p>
-<?php 
+<?php
 } ?>