Security fix in Predefined section (#14721)

* Escape predefined property * Escape predefined metadata
pimcore · Mar 27, 2023 · 2b99773 · 2b99773
1 parent 695f7c9
commit 2b99773
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/metadata/predefined.js
@@ -215,7 +215,9 @@ pimcore.settings.metadata.predefined = Class.create({
                     tooltip: t('delete'),
                     handler: function (grid, rowIndex) {
                         let data = grid.getStore().getAt(rowIndex);
-                        pimcore.helpers.deleteConfirm(t('predefined_metadata'), data.data.name, function () {
+                        pimcore.helpers.deleteConfirm(t('predefined_metadata'),
+                            Ext.util.Format.htmlEncode(data.data.name),
+                            function () {
                             grid.getStore().removeAt(rowIndex);
                         }.bind(this));
                     }.bind(this)

diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/properties/predefined.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/properties/predefined.js
@@ -165,7 +165,9 @@ pimcore.settings.properties.predefined = Class.create({
                     tooltip: t('delete'),
                     handler: function (grid, rowIndex) {
                         let data = grid.getStore().getAt(rowIndex);
-                        pimcore.helpers.deleteConfirm(t('predefined_properties'), data.data.name, function () {
+                        pimcore.helpers.deleteConfirm(t('predefined_properties'),
+                            Ext.util.Format.htmlEncode(data.data.name),
+                            function () {
                             grid.getStore().removeAt(rowIndex);
                         }.bind(this));
                     }.bind(this)