Skip to content
Permalink
Browse files Browse the repository at this point in the history
[Targeting] Escape/validate names of rules properly
  • Loading branch information
brusch committed Jan 17, 2022
1 parent d8377fc commit 3125d5f
Showing 1 changed file with 11 additions and 4 deletions.
15 changes: 11 additions & 4 deletions bundles/AdminBundle/Controller/Admin/TargetingController.php
Expand Up @@ -37,6 +37,11 @@ class TargetingController extends AdminController implements KernelControllerEve
{
// RULES

private function correctName(string $name): string
{
return preg_replace('/[#\?\*\:\\\\<\>\|"%&@=;\+]/', '-', $name);
}

/**
* @Route("/rule/list", name="pimcore_admin_targeting_rulelist", methods={"GET"})
*
Expand All @@ -55,7 +60,7 @@ public function ruleListAction(Request $request)
foreach ($list->load() as $target) {
$targets[] = [
'id' => $target->getId(),
'text' => $target->getName(),
'text' => htmlspecialchars($target->getName()),
'active' => $target->getActive(),
'qtip' => 'ID: ' . $target->getId(),
];
Expand All @@ -74,7 +79,7 @@ public function ruleListAction(Request $request)
public function ruleAddAction(Request $request)
{
$target = new Targeting\Rule();
$target->setName($request->get('name'));
$target->setName($this->correctName($request->get('name')));
$target->save();

return $this->adminJson(['success' => true, 'id' => $target->getId()]);
Expand Down Expand Up @@ -129,6 +134,7 @@ public function ruleSaveAction(Request $request)
/** @var Targeting\Rule|Targeting\Rule\Dao $target */
$target = Targeting\Rule::getById($request->get('id'));
$target->setValues($data['settings']);
$target->setName($this->correctName($target->getName()));
$target->setConditions($data['conditions']);
$target->setActions($data['actions']);
$target->save();
Expand Down Expand Up @@ -208,7 +214,7 @@ public function targetGroupListAction(Request $request)
foreach ($list->load() as $targetGroup) {
$targetGroups[] = [
'id' => $targetGroup->getId(),
'text' => $targetGroup->getName(),
'text' => htmlspecialchars($targetGroup->getName()),
'active' => $targetGroup->getActive(),
'qtip' => $targetGroup->getId(),
];
Expand All @@ -230,7 +236,7 @@ public function targetGroupAddAction(Request $request, CoreCacheHandler $cache,
{
/** @var TargetGroup|TargetGroup\Dao $targetGroup */
$targetGroup = new TargetGroup();
$targetGroup->setName($request->get('name'));
$targetGroup->setName($this->correctName($request->get('name')));
$targetGroup->save();

$event = new TargetGroupEvent($targetGroup);
Expand Down Expand Up @@ -300,6 +306,7 @@ public function targetGroupSaveAction(Request $request, CoreCacheHandler $cache,
/** @var TargetGroup|TargetGroup\Dao $targetGroup */
$targetGroup = TargetGroup::getById($request->get('id'));
$targetGroup->setValues($data['settings']);
$targetGroup->setName($this->correctName($targetGroup->getName()));
$targetGroup->save();

$event = new TargetGroupEvent($targetGroup);
Expand Down

0 comments on commit 3125d5f

Please sign in to comment.