diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 746479de..b0a92861 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -15,6 +15,7 @@ use Grav\Common\Page\Medium\Medium;
use Grav\Common\Page\Page;
use Grav\Common\Page\Pages;
use Grav\Common\Page\Collection;
+use Grav\Common\Security;
use Grav\Common\User\User;
use Grav\Common\Utils;
use Grav\Plugin\Admin\Twig\AdminTwigExtension;
@@ -647,16 +648,6 @@ class AdminController extends AdminBaseController
// Ensure route is prefixed with a forward slash.
$route = '/' . ltrim($route, '/');
- // XSS Checks for page content
- $xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
- if (!$this->admin->authorize($xss_whitelist)) {
- if ($issue = Utils::detectXss($data['content'])) {
- $this->admin->setMessage(sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $issue),
- 'error');
- return false;
- }
- }
-
// Check for valid frontmatter
if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'),
@@ -664,6 +655,21 @@ class AdminController extends AdminBaseController
return false;
}
+ // XSS Checks for page content
+ $xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
+ if (!$this->admin->authorize($xss_whitelist)) {
+ $check_what = ['header' => $data['header'], 'content' => $data['content']];
+ $results = Security::detectXssFromArray($check_what);
+ if (!empty($results)) {
+ $results_parts = array_map(function($value, $key) {
+ return $key.': \''.$value . '\'';
+ }, array_values($results), array_keys($results));
+ $this->admin->setMessage(' ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), implode(', ', $results_parts)),
+ 'error');
+ return false;
+ }
+ }
+
$parent = $route && $route !== '/' && $route !== '.' && $route !== '/.' ? $pages->dispatch($route, true) : $pages->root();
$original_order = (int)trim($obj->order(), '.');
diff --git a/languages/en.yaml b/languages/en.yaml
index 49abddca..4b06c210 100644
--- a/languages/en.yaml
+++ b/languages/en.yaml
@@ -763,6 +763,6 @@ PLUGIN_ADMIN:
XSS_RULES_HELP: "Be careful when tweaking these rules, a broken regex will break things badly!"
XSS_RULE_LABEL: "Label"
XSS_RULE_REGEX: "Regex"
- XSS_ISSUE: "Save failed: Found potential XSS code of type: %s, please remove or disable the XSS filter in Configuration / Security."
+ XSS_ISSUE: "Save failed: Found potential XSS code in %s. Please remove or disable the XSS filter."
diff --git a/themes/grav/templates/pages.html.twig b/themes/grav/templates/pages.html.twig
index d1c0edf0..c9923980 100644
--- a/themes/grav/templates/pages.html.twig
+++ b/themes/grav/templates/pages.html.twig
@@ -322,6 +322,7 @@
{# Set current form data back into page content #}
{% if current_form_data %}
+ {% do context.header(current_form_data.header) %}
{% do context.content(current_form_data.content) %}
{% endif %}
{% if context.blueprints.fields and admin.session.expert == '0' %}