Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-02 03:16:11 +01:00
Code Issues Packages Projects Releases Activity

Merge branch 'develop' into 1.9

Browse Source 
# Conflicts:
#	languages/en.yaml
This commit is contained in:
Andy Miller
2018-09-30 18:41:29 -06:00
parent e850626a3b bfc72d2d3e
commit 22f3a03005
3 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
classes/admincontroller.php
View File

@@ -15,6 +15,7 @@ use Grav\Common\Page\Medium\Medium;
use Grav\Common\Page\Page; use Grav\Common\Page\Page;
use Grav\Common\Page\Pages; use Grav\Common\Page\Pages;
use Grav\Common\Page\Collection; use Grav\Common\Page\Collection;
use Grav\Common\Security;
use Grav\Common\User\User; use Grav\Common\User\User;
use Grav\Common\Utils; use Grav\Common\Utils;
use Grav\Plugin\Admin\Twig\AdminTwigExtension; use Grav\Plugin\Admin\Twig\AdminTwigExtension;
@@ -647,16 +648,6 @@ class AdminController extends AdminBaseController
// Ensure route is prefixed with a forward slash. // Ensure route is prefixed with a forward slash.
$route = '/' . ltrim($route, '/'); $route = '/' . ltrim($route, '/');
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
if (!$this->admin->authorize($xss_whitelist)) {
if ($issue = Utils::detectXss($data['content'])) {
$this->admin->setMessage(sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $issue),
'error');
return false;
}
}
// Check for valid frontmatter // Check for valid frontmatter
if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) { if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'), $this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'),
@@ -664,6 +655,21 @@ class AdminController extends AdminBaseController
return false; return false;
} }
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
if (!$this->admin->authorize($xss_whitelist)) {
$check_what = ['header' => $data['header'], 'content' => $data['content']];
$results = Security::detectXssFromArray($check_what);
if (!empty($results)) {
$results_parts = array_map(function($value, $key) {
return $key.': \''.$value . '\'';
}, array_values($results), array_keys($results));
$this->admin->setMessage('<i class="fa fa-ban"></i> ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), implode(', ', $results_parts)),
'error');
return false;
}
}
$parent = $route && $route !== '/' && $route !== '.' && $route !== '/.' ? $pages->dispatch($route, true) : $pages->root(); $parent = $route && $route !== '/' && $route !== '.' && $route !== '/.' ? $pages->dispatch($route, true) : $pages->root();
$original_order = (int)trim($obj->order(), '.'); $original_order = (int)trim($obj->order(), '.');

2
languages/en.yaml
View File

@@ -763,6 +763,6 @@ PLUGIN_ADMIN:
XSS_RULES_HELP: "Be careful when tweaking these rules, a broken regex will break things badly!" XSS_RULES_HELP: "Be careful when tweaking these rules, a broken regex will break things badly!"
XSS_RULE_LABEL: "Label" XSS_RULE_LABEL: "Label"
XSS_RULE_REGEX: "Regex" XSS_RULE_REGEX: "Regex"
XSS_ISSUE: "Save failed: Found potential XSS code of type: <strong>%s</strong>, please remove or disable the XSS filter in <strong>Configuration</strong> / <strong>Security</strong>." XSS_ISSUE: "Save failed: Found potential XSS code in <strong>%s</strong>. Please remove or disable the XSS filter."

1
themes/grav/templates/pages.html.twig
View File

@@ -322,6 +322,7 @@
{# Set current form data back into page content #} {# Set current form data back into page content #}
{% if current_form_data %} {% if current_form_data %}
{% do context.header(current_form_data.header) %}
{% do context.content(current_form_data.content) %} {% do context.content(current_form_data.content) %}
{% endif %} {% endif %}
{% if context.blueprints.fields and admin.session.expert == '0' %} {% if context.blueprints.fields and admin.session.expert == '0' %}