diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php index ef67a81ae0..0a948d6d1d 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php @@ -90,35 +90,44 @@ class RecordController extends Controller } $recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos(); + // escape record title before rendering + $recordTitle = explode("", $record->get_title()); + if (count($recordTitle) >1) { + $recordTitle[1] = htmlspecialchars($recordTitle[1]); + $recordTitle = implode("", $recordTitle); + } else { + $recordTitle = htmlspecialchars($record->get_title()); + } + return $this->app->json([ - "desc" => $this->render('prod/preview/caption.html.twig', [ + "desc" => $this->render('prod/preview/caption.html.twig', [ 'record' => $record, 'highlight' => $query, 'searchEngine' => $searchEngine, 'searchOptions' => $options, ]), - "recordCaptions"=> $recordCaptions, - "html_preview" => $this->render('common/preview.html.twig', [ + "recordCaptions" => $recordCaptions, + "html_preview" => $this->render('common/preview.html.twig', [ 'record' => $record ]), - "others" => $this->render('prod/preview/appears_in.html.twig', [ + "others" => $this->render('prod/preview/appears_in.html.twig', [ 'parents' => $record->get_grouping_parents(), 'baskets' => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()), ]), - "current" => $train, - "record" => $currentRecord, - "history" => $this->render('prod/preview/short_history.html.twig', [ + "current" => $train, + "record" => $currentRecord, + "history" => $this->render('prod/preview/short_history.html.twig', [ 'record' => $record, ]), - "popularity" => $this->render('prod/preview/popularity.html.twig', [ + "popularity" => $this->render('prod/preview/popularity.html.twig', [ 'record' => $record, ]), - "tools" => $this->render('prod/preview/tools.html.twig', [ + "tools" => $this->render('prod/preview/tools.html.twig', [ 'record' => $record, ]), - "pos" => $record->getNumber(), - "title" => $record->get_title(), - "databox_name" => $record->getDatabox()->get_dbname(), + "pos" => $record->getNumber(), + "title" => $recordTitle, + "databox_name" => $record->getDatabox()->get_dbname(), "collection_name" => $record->getCollection()->get_name(), "collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app), ]); diff --git a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php index a278a516d7..1bd06d83b2 100644 --- a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php +++ b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php @@ -806,7 +806,7 @@ class ThesaurusController extends Controller if (!$t) { $t = "..."; } - $fullBranch = " / " . $t . $fullBranch; + $fullBranch = " / " . htmlspecialchars($t) . $fullBranch; } } $nodes = $xpathstruct->query("/record/description/*"); @@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller '1', null ); - $fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue; + $fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue; $hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue; $languages = $synonyms = []; @@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller $languages[$lng_code[0]] = $language; } + // Escape path between span tag in fullpath_html + preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER); + + $safeFullpath = ''; + foreach($matches as $match) { + unset($match[0]); // full match result not used + $match[2] = htmlspecialchars($match[2]); + $safeFullpath .= implode('', $match); + } + return $this->render('thesaurus/properties.html.twig', [ 'typ' => $request->get('typ'), 'bid' => $request->get('bid'), @@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller 'id' => $request->get('id'), 'dlg' => $request->get('dlg'), 'languages' => $languages, - 'fullpath' => $fullpath, + 'fullpath' => $safeFullpath, 'hits' => $hits, 'synonyms' => $synonyms, ]); diff --git a/templates/web/admin/connected-users.html.twig b/templates/web/admin/connected-users.html.twig index 9477e20edf..4b784a385f 100644 --- a/templates/web/admin/connected-users.html.twig +++ b/templates/web/admin/connected-users.html.twig @@ -94,7 +94,7 @@ {% for session in data['sessions'] %} {% set row = session['session'] %} - + {% if row.getId() == app['session'].get('session_id') %} {{ row.getUser().getDisplayName() }} diff --git a/templates/web/lightbox/index.html.twig b/templates/web/lightbox/index.html.twig index 9ff76249e1..70fb42608b 100644 --- a/templates/web/lightbox/index.html.twig +++ b/templates/web/lightbox/index.html.twig @@ -51,7 +51,7 @@

- {{basket.getName()|raw}} + {{basket.getName()|e}}

{% if basket.getValidation().isFinished() %} {{ '(validation) session terminee' | trans }} @@ -116,7 +116,7 @@

- {{ basket.getName()|raw}} + {{ basket.getName()|e}}

diff --git a/templates/web/prod/WorkZone/Macros.html.twig b/templates/web/prod/WorkZone/Macros.html.twig index d496cb2e7c..cbb022a8d3 100644 --- a/templates/web/prod/WorkZone/Macros.html.twig +++ b/templates/web/prod/WorkZone/Macros.html.twig @@ -19,7 +19,7 @@ {% endif %} - {{basket.getName()}} + {{basket.getName()|e}}
@@ -99,7 +99,7 @@ {% else %} {% endif %} - {{basket.getName()}} + {{basket.getName()|e}}
diff --git a/templates/web/prod/templates/push.html.twig b/templates/web/prod/templates/push.html.twig index fe47af8ed9..a769c2d3be 100644 --- a/templates/web/prod/templates/push.html.twig +++ b/templates/web/prod/templates/push.html.twig @@ -12,17 +12,17 @@
- <%= item.display_name %> + <%= htmlEncode(item.display_name) %>
- +
- <%= item.subtitle || '' %> + <%= htmlEncode(item.subtitle) || '' %>
@@ -47,7 +47,7 @@ @@ -81,12 +81,12 @@
- <%= item.name %> + <%= htmlEncode(item.name) %>
@@ -201,12 +201,12 @@
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
@@ -242,12 +242,12 @@
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
@@ -267,3 +267,22 @@ + diff --git a/templates/web/thesaurus/new-term.html.twig b/templates/web/thesaurus/new-term.html.twig index 8c7c825392..5c9dc238ca 100644 --- a/templates/web/thesaurus/new-term.html.twig +++ b/templates/web/thesaurus/new-term.html.twig @@ -16,11 +16,11 @@ {% if context %} {% set zterm %} - {% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %} + {% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %} {% endset %} {% else %} {% set zterm %} - {% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %} + {% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %} {% endset %} {% endif %} diff --git a/templates/web/thesaurus/thesaurus.html.twig b/templates/web/thesaurus/thesaurus.html.twig index 692d5ad355..87b234b371 100644 --- a/templates/web/thesaurus/thesaurus.html.twig +++ b/templates/web/thesaurus/thesaurus.html.twig @@ -338,6 +338,8 @@ for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling ) { var lng = sy.getAttribute("lng"); + var v = escapeHtmlDataFromXML(sy.getAttribute("v")); + html += ""; if(lng) if(tFlags[lng]) @@ -347,7 +349,7 @@ else html += ""; - html += ""; + html += ""; var hits = 0+sy.getAttribute("hits"); if(hits == 1) @@ -361,6 +363,12 @@ return(html); } + // Let the browser to do it + function escapeHtmlDataFromXML(data){ + var d = document.createElement('div'); + d.appendChild(document.createTextNode(data)); + return d.innerHTML; + } // /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //
- <%= user.display_name %> + <%= htmlEncode(user.display_name) %>
- <%= user.subtitle || '' %> + <%= htmlEncode(user.subtitle) || '' %>
 ?  "+sy.getAttribute("v")+" "+ v +"