Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-01 10:56:08 +01:00
Code Issues Packages Projects Releases Activity

Merge branch 'develop' into 1.9

Browse Source 
# Conflicts:
#	languages/en.yaml
This commit is contained in:
Andy Miller
2018-09-30 18:41:29 -06:00
parent e850626a3b bfc72d2d3e
commit 22f3a03005
3 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
classes/admincontroller.php
View File

@@ -15,6 +15,7 @@ use Grav\Common\Page\Medium\Medium;
use Grav\Common\Page\Page;
use Grav\Common\Page\Pages;
use Grav\Common\Page\Collection;
use Grav\Common\Security;
use Grav\Common\User\User;
use Grav\Common\Utils;
use Grav\Plugin\Admin\Twig\AdminTwigExtension;
@@ -647,16 +648,6 @@ class AdminController extends AdminBaseController
// Ensure route is prefixed with a forward slash.
$route = '/' . ltrim($route, '/');
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
if (!$this->admin->authorize($xss_whitelist)) {
if ($issue = Utils::detectXss($data['content'])) {
$this->admin->setMessage(sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $issue),
'error');
return false;
}
}
// Check for valid frontmatter
if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'),
@@ -664,6 +655,21 @@ class AdminController extends AdminBaseController
return false;
}
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
if (!$this->admin->authorize($xss_whitelist)) {
$check_what = ['header' => $data['header'], 'content' => $data['content']];
$results = Security::detectXssFromArray($check_what);
if (!empty($results)) {
$results_parts = array_map(function($value, $key) {
return $key.': \''.$value . '\'';
}, array_values($results), array_keys($results));
$this->admin->setMessage('<i class="fa fa-ban"></i> ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), implode(', ', $results_parts)),
'error');
return false;
}
}
$parent = $route && $route !== '/' && $route !== '.' && $route !== '/.' ? $pages->dispatch($route, true) : $pages->root();
$original_order = (int)trim($obj->order(), '.');