Skip to content

Commit 2b99773

Browse files
authored
Security fix in Predefined section (#14721)
* Escape predefined property * Escape predefined metadata
1 parent 695f7c9 commit 2b99773

File tree

2 files changed

+6
-2
lines changed

2 files changed

+6
-2
lines changed

Diff for: bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js

+3-1
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,9 @@ pimcore.settings.metadata.predefined = Class.create({
215215
tooltip: t('delete'),
216216
handler: function (grid, rowIndex) {
217217
let data = grid.getStore().getAt(rowIndex);
218-
pimcore.helpers.deleteConfirm(t('predefined_metadata'), data.data.name, function () {
218+
pimcore.helpers.deleteConfirm(t('predefined_metadata'),
219+
Ext.util.Format.htmlEncode(data.data.name),
220+
function () {
219221
grid.getStore().removeAt(rowIndex);
220222
}.bind(this));
221223
}.bind(this)

Diff for: bundles/AdminBundle/Resources/public/js/pimcore/settings/properties/predefined.js

+3-1
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,9 @@ pimcore.settings.properties.predefined = Class.create({
165165
tooltip: t('delete'),
166166
handler: function (grid, rowIndex) {
167167
let data = grid.getStore().getAt(rowIndex);
168-
pimcore.helpers.deleteConfirm(t('predefined_properties'), data.data.name, function () {
168+
pimcore.helpers.deleteConfirm(t('predefined_properties'),
169+
Ext.util.Format.htmlEncode(data.data.name),
170+
function () {
169171
grid.getStore().removeAt(rowIndex);
170172
}.bind(this));
171173
}.bind(this)

0 commit comments

Comments
 (0)