Add a csrf check to the Lister bookmarks form and make markup disallo…

…wed by default (with optional argument to enable it) in ProcessController ajax notification response generator (as used by some Lister errors).

Co-authored-by: filipaze <filipaze98@gmail.com>
Co-authored-by: rondons <guilhermetamagnini@gmail.com>

wire/core/ProcessController.php

@@ -81,6 +81,7 @@ class ProcessController extends Wire {
 	 *
 	 */
 	public function __construct() {
+		parent::__construct();
 		$this->prefix = 'Process';
 		$this->processMethodName = ''; // blank indicates default/index method
 	}
@@ -463,13 +464,15 @@ protected function getViewFile(Process $process, $method = '') {
 	 * 
 	 * @param string $msg
 	 * @param bool $error
+	 * @param bool $allowMarkup
 	 * @return string JSON encoded string
 	 *
 	 */
-	public function jsonMessage($msg, $error = false) {
+	public function jsonMessage($msg, $error = false, $allowMarkup = false) {
+		if(!$allowMarkup) $msg = $this->wire()->sanitizer->entities($msg);
 		return json_encode(array(
-			'error' => $error, 
-			'message' => $msg
+			'error' => (bool) $error, 
+			'message' => (string) $msg
 		)); 
 	}
 

wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php

@@ -445,6 +445,7 @@ public function executeEditBookmark() {
 
 		$deleteBookmarkID = $this->bookmarks->_bookmarkID($input->post('delete_bookmark'));
 		if($deleteBookmarkID) {
+			$session->CSRF()->validate();
 			if($this->bookmarks->deleteBookmarkByID($deleteBookmarkID)) {
 				$this->message($this->_('Deleted bookmark'));
 			} else {
@@ -455,7 +456,9 @@ public function executeEditBookmark() {
 		}
 
 		if($input->post('bookmark_title')) {
-			return $this->executeSaveBookmark();
+			$session->CSRF()->validate();
+			$this->executeSaveBookmark();
+			return '';
 		}
 
 		$bookmarkID = $this->bookmarks->_bookmarkID($input->get('bookmark'));