From 83cd91f1d11cf78d46832c7318418edbc8dcd3d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sun, 26 Feb 2023 01:23:36 +0100 Subject: [PATCH] Fixed potential XSS injection vectors in datatables columns --- src/DataTables/Column/EntityColumn.php | 2 +- src/DataTables/Column/SIUnitNumberColumn.php | 2 +- src/DataTables/PartsDataTable.php | 8 ++++---- src/DataTables/ProjectBomEntriesDataTable.php | 4 ++-- src/Services/ElementTypeNameGenerator.php | 2 +- src/Services/LogSystem/LogEntryExtraFormatter.php | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/DataTables/Column/EntityColumn.php b/src/DataTables/Column/EntityColumn.php index d48d6da1..4ccc2ce4 100644 --- a/src/DataTables/Column/EntityColumn.php +++ b/src/DataTables/Column/EntityColumn.php @@ -79,7 +79,7 @@ class EntityColumn extends AbstractColumn return sprintf( '%s', $this->urlGenerator->listPartsURL($entity), - $entity->getName() + htmlspecialchars($entity->getName()) ); } diff --git a/src/DataTables/Column/SIUnitNumberColumn.php b/src/DataTables/Column/SIUnitNumberColumn.php index a66bc868..bc9d866f 100644 --- a/src/DataTables/Column/SIUnitNumberColumn.php +++ b/src/DataTables/Column/SIUnitNumberColumn.php @@ -50,6 +50,6 @@ class SIUnitNumberColumn extends AbstractColumn return ''; } - return $this->formatter->format((float) $value, $this->options['unit'], $this->options['precision']); + return htmlspecialchars($this->formatter->format((float) $value, $this->options['unit'], $this->options['precision'])); } } \ No newline at end of file diff --git a/src/DataTables/PartsDataTable.php b/src/DataTables/PartsDataTable.php index f38215e3..d67ed0db 100644 --- a/src/DataTables/PartsDataTable.php +++ b/src/DataTables/PartsDataTable.php @@ -177,7 +177,7 @@ final class PartsDataTable implements DataTableTypeInterface $tmp[] = sprintf( '%s', $this->urlGenerator->listPartsURL($lot->getStorageLocation()), - $lot->getStorageLocation()->getName() + htmlspecialchars($lot->getStorageLocation()->getName()) ); } @@ -192,13 +192,13 @@ final class PartsDataTable implements DataTableTypeInterface $amount = $context->getAmountSum(); $expiredAmount = $context->getExpiredAmountSum(); - $ret = $this->amountFormatter->format($amount, $context->getPartUnit()); + $ret = htmlspecialchars($this->amountFormatter->format($amount, $context->getPartUnit())); //If we have expired lots, we show them in parentheses behind if ($expiredAmount > 0) { $ret .= sprintf(' (+%s)', $this->translator->trans('part_lots.is_expired'), - $this->amountFormatter->format($expiredAmount, $context->getPartUnit())); + htmlspecialchars($this->amountFormatter->format($expiredAmount, $context->getPartUnit()))); } @@ -210,7 +210,7 @@ final class PartsDataTable implements DataTableTypeInterface 'label' => $this->translator->trans('part.table.minamount'), 'visible' => false, 'render' => function ($value, Part $context) { - return $this->amountFormatter->format($value, $context->getPartUnit()); + return htmlspecialchars($this->amountFormatter->format($value, $context->getPartUnit())); }, ]); diff --git a/src/DataTables/ProjectBomEntriesDataTable.php b/src/DataTables/ProjectBomEntriesDataTable.php index 8d7c839d..53b3e10d 100644 --- a/src/DataTables/ProjectBomEntriesDataTable.php +++ b/src/DataTables/ProjectBomEntriesDataTable.php @@ -84,7 +84,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface return round($context->getQuantity()); } //Otherwise use the unit of the part to format the quantity - return $this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit()); + return htmlspecialchars($this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit())); }, ]) @@ -93,7 +93,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface 'orderable' => false, 'render' => function ($value, ProjectBOMEntry $context) { if($context->getPart() === null) { - return $context->getName(); + return htmlspecialchars($context->getName()); } if($context->getPart() !== null) { $tmp = $this->partDataTableHelper->renderName($context->getPart()); diff --git a/src/Services/ElementTypeNameGenerator.php b/src/Services/ElementTypeNameGenerator.php index adee61ad..be325320 100644 --- a/src/Services/ElementTypeNameGenerator.php +++ b/src/Services/ElementTypeNameGenerator.php @@ -117,7 +117,7 @@ class ElementTypeNameGenerator * It uses getLocalizedLabel to determine the type. * * @param NamedElementInterface $entity the entity for which the string should be generated - * @param bool $use_html If set to true, a html string is returned, where the type is set italic + * @param bool $use_html If set to true, a html string is returned, where the type is set italic, and the name is escaped * * @return string The localized string * diff --git a/src/Services/LogSystem/LogEntryExtraFormatter.php b/src/Services/LogSystem/LogEntryExtraFormatter.php index bfdaf379..74eded48 100644 --- a/src/Services/LogSystem/LogEntryExtraFormatter.php +++ b/src/Services/LogSystem/LogEntryExtraFormatter.php @@ -193,7 +193,7 @@ class LogEntryExtraFormatter } if ($context->getInstockChangeType() === PartStockChangedLogEntry::TYPE_MOVE) { $array['log.part_stock_changed.move_target'] = - $this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class) + htmlspecialchars($this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class)) .' ' . $context->getMoveToTargetID(); } }