Skip to content
Permalink
Browse files
[Data Object] Properly escape version preview values
  • Loading branch information
brusch committed Aug 25, 2021
1 parent af229c0 commit 9fd55a903fe9242fe7268efb7da051eb6f7b99cc
@@ -58,10 +58,6 @@ public function isDiffChangeAllowed($object, $params = [])
*/
public function getVersionPreview($data, $object = null, $params = [])
{
// remove all <script> tags, to prevent XSS in the version preview
// this should normally be filtered in the project specific controllers/action (/website folder) but just to be sure
$data = preg_replace('#<script(.*?)>(.*?)</script>#is', '', $data);

return $data;
return htmlspecialchars($data);
}
}
@@ -345,7 +345,7 @@ public function getDataFromEditmode($data, $object = null, $params = [])
public function getVersionPreview($data, $object = null, $params = [])
{
if (is_array($data)) {
return implode(',', $data);
return implode(',', array_map($data, 'htmlspecialchars'));
}

return null;
@@ -383,7 +383,7 @@ public function getVersionPreview($data, $object = null, $params = [])
}
}

return $data->getValue() . $unit;
return htmlspecialchars($data->getValue() . $unit);
}

return '';
@@ -308,7 +308,7 @@ public function getDataFromEditmode($data, $object = null, $params = [])
*/
public function getVersionPreview($data, $object = null, $params = [])
{
return $data;
return htmlspecialchars($data);
}

/**

0 comments on commit 9fd55a9

Please sign in to comment.