PHRAS-2276 port to 4.1 template escape (#2819)

* fix escape lightbox

* fix escape in admin connected-user

* fix prod escaping

* fix escaping in thesaurus

* escape when rendered

* escape in controller
This commit is contained in:
jygaulier
2019-04-08 14:30:00 +02:00
committed by GitHub
8 changed files with 79 additions and 33 deletions

View File

@@ -90,35 +90,44 @@ class RecordController extends Controller
} }
$recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos(); $recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos();
// escape record title before rendering
$recordTitle = explode("</span>", $record->get_title());
if (count($recordTitle) >1) {
$recordTitle[1] = htmlspecialchars($recordTitle[1]);
$recordTitle = implode("</span>", $recordTitle);
} else {
$recordTitle = htmlspecialchars($record->get_title());
}
return $this->app->json([ return $this->app->json([
"desc" => $this->render('prod/preview/caption.html.twig', [ "desc" => $this->render('prod/preview/caption.html.twig', [
'record' => $record, 'record' => $record,
'highlight' => $query, 'highlight' => $query,
'searchEngine' => $searchEngine, 'searchEngine' => $searchEngine,
'searchOptions' => $options, 'searchOptions' => $options,
]), ]),
"recordCaptions"=> $recordCaptions, "recordCaptions" => $recordCaptions,
"html_preview" => $this->render('common/preview.html.twig', [ "html_preview" => $this->render('common/preview.html.twig', [
'record' => $record 'record' => $record
]), ]),
"others" => $this->render('prod/preview/appears_in.html.twig', [ "others" => $this->render('prod/preview/appears_in.html.twig', [
'parents' => $record->get_grouping_parents(), 'parents' => $record->get_grouping_parents(),
'baskets' => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()), 'baskets' => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()),
]), ]),
"current" => $train, "current" => $train,
"record" => $currentRecord, "record" => $currentRecord,
"history" => $this->render('prod/preview/short_history.html.twig', [ "history" => $this->render('prod/preview/short_history.html.twig', [
'record' => $record, 'record' => $record,
]), ]),
"popularity" => $this->render('prod/preview/popularity.html.twig', [ "popularity" => $this->render('prod/preview/popularity.html.twig', [
'record' => $record, 'record' => $record,
]), ]),
"tools" => $this->render('prod/preview/tools.html.twig', [ "tools" => $this->render('prod/preview/tools.html.twig', [
'record' => $record, 'record' => $record,
]), ]),
"pos" => $record->getNumber(), "pos" => $record->getNumber(),
"title" => $record->get_title(), "title" => $recordTitle,
"databox_name" => $record->getDatabox()->get_dbname(), "databox_name" => $record->getDatabox()->get_dbname(),
"collection_name" => $record->getCollection()->get_name(), "collection_name" => $record->getCollection()->get_name(),
"collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app), "collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app),
]); ]);

View File

@@ -806,7 +806,7 @@ class ThesaurusController extends Controller
if (!$t) { if (!$t) {
$t = "..."; $t = "...";
} }
$fullBranch = " / " . $t . $fullBranch; $fullBranch = " / " . htmlspecialchars($t) . $fullBranch;
} }
} }
$nodes = $xpathstruct->query("/record/description/*"); $nodes = $xpathstruct->query("/record/description/*");
@@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller
'1', '1',
null null
); );
$fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue; $fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
$hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue; $hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue;
$languages = $synonyms = []; $languages = $synonyms = [];
@@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller
$languages[$lng_code[0]] = $language; $languages[$lng_code[0]] = $language;
} }
// Escape path between span tag in fullpath_html
preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER);
$safeFullpath = '';
foreach($matches as $match) {
unset($match[0]); // full match result not used
$match[2] = htmlspecialchars($match[2]);
$safeFullpath .= implode('', $match);
}
return $this->render('thesaurus/properties.html.twig', [ return $this->render('thesaurus/properties.html.twig', [
'typ' => $request->get('typ'), 'typ' => $request->get('typ'),
'bid' => $request->get('bid'), 'bid' => $request->get('bid'),
@@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller
'id' => $request->get('id'), 'id' => $request->get('id'),
'dlg' => $request->get('dlg'), 'dlg' => $request->get('dlg'),
'languages' => $languages, 'languages' => $languages,
'fullpath' => $fullpath, 'fullpath' => $safeFullpath,
'hits' => $hits, 'hits' => $hits,
'synonyms' => $synonyms, 'synonyms' => $synonyms,
]); ]);

View File

@@ -94,7 +94,7 @@
<tbody> <tbody>
{% for session in data['sessions'] %} {% for session in data['sessions'] %}
{% set row = session['session'] %} {% set row = session['session'] %}
<tr title="{{ _self.tooltip_connected_users(row) | raw }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}"> <tr title="{{ _self.tooltip_connected_users(row) | e }}" class="{% if loop.index is odd %}odd{% else %}even{% endif %} usrTips" id="TREXP_{{ row.getId()}}">
{% if row.getId() == app['session'].get('session_id') %} {% if row.getId() == app['session'].get('session_id') %}
<td style="color:#ff0000"><i>{{ row.getUser().getDisplayName() }}</i></td> <td style="color:#ff0000"><i>{{ row.getUser().getDisplayName() }}</i></td>

View File

@@ -51,7 +51,7 @@
<tr> <tr>
<td> <td>
<h2 class="title15"> <h2 class="title15">
{{basket.getName()|raw}} {{basket.getName()|e}}
</h2> </h2>
{% if basket.getValidation().isFinished() %} {% if basket.getValidation().isFinished() %}
{{ '(validation) session terminee' | trans }} {{ '(validation) session terminee' | trans }}
@@ -116,7 +116,7 @@
<tr> <tr>
<td> <td>
<h2 class="title15"> <h2 class="title15">
{{ basket.getName()|raw}} {{ basket.getName()|e}}
</h2> </h2>
</td> </td>
<td class="right"> <td class="right">

View File

@@ -19,7 +19,7 @@
<img src='/assets/common/images/icons/basket_push_unread.png' title=''/> <img src='/assets/common/images/icons/basket_push_unread.png' title=''/>
{% endif %} {% endif %}
<img src='/assets/common/images/icons/basket.png' title=''/> <img src='/assets/common/images/icons/basket.png' title=''/>
{{basket.getName()}} {{basket.getName()|e}}
</span> </span>
</a> </a>
<div class="menu"> <div class="menu">
@@ -99,7 +99,7 @@
{% else %} {% else %}
<img src='/assets/common/images/icons/basket.png' title=''/> <img src='/assets/common/images/icons/basket.png' title=''/>
{% endif %} {% endif %}
{{basket.getName()}} {{basket.getName()|e}}
</span> </span>
</a> </a>
<div class="menu"> <div class="menu">

View File

@@ -12,17 +12,17 @@
<table> <table>
<tr> <tr>
<td> <td>
<span class="name"><%= item.display_name %></span> <span class="name"><%= htmlEncode(item.display_name) %></span>
</td> </td>
</tr> </tr>
<tr> <tr>
<td> <td>
<span class="email"><i><%= item.email %></i></span> <span class="email"><i><%= htmlEncode(item.email) %></i></span>
</td> </td>
</tr> </tr>
<tr> <tr>
<td> <td>
<span class="subtite"><%= item.subtitle || '' %></span> <span class="subtite"><%= htmlEncode(item.subtitle) || '' %></span>
</td> </td>
</tr> </tr>
</table> </table>
@@ -47,7 +47,7 @@
<table> <table>
<tr> <tr>
<td> <td>
<span class="name"><%= item.name %></span> <span class="name"><%= htmlEncode(item.name) %></span>
</td> </td>
</tr> </tr>
<tr> <tr>
@@ -81,12 +81,12 @@
<table> <table>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="name"><%= user.display_name %></span> <span class="name"><%= htmlEncode(user.display_name) %></span>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span> <span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td> </td>
</tr> </tr>
<tr class="toggles"> <tr class="toggles">
@@ -201,12 +201,12 @@
<table> <table>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="name"><%= user.display_name %></span> <span class="name"><%= htmlEncode(user.display_name) %></span>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span> <span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td> </td>
</tr> </tr>
<tr class="toggles"> <tr class="toggles">
@@ -242,12 +242,12 @@
<table> <table>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="name"><%= user.display_name %></span> <span class="name"><%= htmlEncode(user.display_name) %></span>
</td> </td>
</tr> </tr>
<tr> <tr>
<td colspan="3"> <td colspan="3">
<span class="subtite"><%= user.subtitle || '' %></span> <span class="subtite"><%= htmlEncode(user.subtitle) || '' %></span>
</td> </td>
</tr> </tr>
<tr class="toggles"> <tr class="toggles">
@@ -267,3 +267,22 @@
</div> </div>
</script> </script>
<script>
function htmlEncode(str) {
return str.replace(/[&"'<>]/g, function(c){
switch (c)
{
case "&":
return "&amp;";
case "'":
return "&#39;";
case '"':
return "&quot;";
case "<":
return "&lt;";
case ">":
return "&gt;";
}
});
}
</script>

View File

@@ -16,11 +16,11 @@
{% if context %} {% if context %}
{% set zterm %} {% set zterm %}
{% trans with {'%term%' : term, '%context%' : context} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %} {% trans with {'%term%' : term | e, '%context%' : context | e} %}thesaurus:: le terme %term% avec contexte %context%{% endtrans %}
{% endset %} {% endset %}
{% else %} {% else %}
{% set zterm %} {% set zterm %}
{% trans with {'%term%' : term} %}thesaurus:: le terme %term% sans contexte{% endtrans %} {% trans with {'%term%' : term | e} %}thesaurus:: le terme %term% sans contexte{% endtrans %}
{% endset %} {% endset %}
{% endif %} {% endif %}

View File

@@ -338,6 +338,8 @@
for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling ) for(var sy=syl.item(0).firstChild; sy; sy=sy.nextSibling )
{ {
var lng = sy.getAttribute("lng"); var lng = sy.getAttribute("lng");
var v = escapeHtmlDataFromXML(sy.getAttribute("v"));
html += "<tr>"; html += "<tr>";
if(lng) if(lng)
if(tFlags[lng]) if(tFlags[lng])
@@ -347,7 +349,7 @@
else else
html += "<td><span style='background-color:#cccccc'>&nbsp;?&nbsp;</span></td>"; html += "<td><span style='background-color:#cccccc'>&nbsp;?&nbsp;</span></td>";
html += "<td>&nbsp;"+sy.getAttribute("v")+"</td>"; html += "<td>&nbsp;"+ v +"</td>";
var hits = 0+sy.getAttribute("hits"); var hits = 0+sy.getAttribute("hits");
if(hits == 1) if(hits == 1)
@@ -361,6 +363,12 @@
return(html); return(html);
} }
// Let the browser to do it
function escapeHtmlDataFromXML(data){
var d = document.createElement('div');
d.appendChild(document.createTextNode(data));
return d.innerHTML;
}
// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// //