Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-01 10:56:08 +01:00
Code Issues Packages Projects Releases Activity

Fixed unescaped messages in JSON responses

Browse Source
This commit is contained in:
Matias Griese
2021-11-03 12:42:27 +02:00
parent c8a4a111df
commit 6463135bf0
4 changed files with 33 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@@ -1,3 +1,9 @@
# v1.10.25
## mm/dd/2021
3. [](#bugfix)
* Fixed unescaped messages in JSON responses
# v1.10.24 # v1.10.24
## 10/26/2021 ## 10/26/2021

18
classes/plugin/AdminBaseController.php
View File

@@ -271,7 +271,7 @@ class AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null), 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null),
$filename, 'Bad filename') htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename')
]; ];
return false; return false;
@@ -291,7 +291,7 @@ class AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_PREVENT_SELF', null), 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_PREVENT_SELF', null),
$settings->destination) htmlspecialchars($settings->destination, ENT_QUOTES | ENT_HTML5, 'UTF-8'))
]; ];
return false; return false;
@@ -302,7 +302,8 @@ class AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null), 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null),
$filename, $this->upload_errors[$upload->file->error]) htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'),
$this->upload_errors[$upload->file->error])
]; ];
return false; return false;
@@ -340,7 +341,7 @@ class AdminBaseController
if ($isMime) { if ($isMime) {
$match = preg_match('#' . $find . '$#', $mime); $match = preg_match('#' . $find . '$#', $mime);
if (!$match) { if (!$match) {
$errors[] = 'The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.'; $errors[] = htmlspecialchars('The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8');
} else { } else {
$accepted = true; $accepted = true;
break; break;
@@ -348,7 +349,7 @@ class AdminBaseController
} else { } else {
$match = preg_match('#' . $find . '$#', $filename); $match = preg_match('#' . $find . '$#', $filename);
if (!$match) { if (!$match) {
$errors[] = 'The File Extension for the file "' . $filename . '" is not an accepted.'; $errors[] = htmlspecialchars('The File Extension for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8');
} else { } else {
$accepted = true; $accepted = true;
break; break;
@@ -379,8 +380,11 @@ class AdminBaseController
if (!move_uploaded_file($tmp_file, $tmp)) { if (!move_uploaded_file($tmp_file, $tmp)) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null), '', 'message' => sprintf(
$tmp) $this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null),
'',
htmlspecialchars($tmp, ENT_QUOTES | ENT_HTML5, 'UTF-8')
)
]; ];
return false; return false;

30
classes/plugin/AdminController.php
View File

@@ -288,7 +288,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -407,7 +407,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$json_response = ['status' => 'error', 'message' => $e->getMessage()]; $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
} }
$this->sendJsonResponse($json_response); $this->sendJsonResponse($json_response);
@@ -490,7 +490,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$json_response = ['status' => 'error', 'message' => $e->getMessage()]; $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
} }
$this->sendJsonResponse($json_response); $this->sendJsonResponse($json_response);
@@ -540,7 +540,7 @@ class AdminController extends AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . $e->getMessage() 'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
return true; return true;
@@ -917,7 +917,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -961,7 +961,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -1004,7 +1004,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -1059,7 +1059,7 @@ class AdminController extends AdminBaseController
$msg = Utils::contains($msg, '401 Unauthorized') ? "ERROR: License key for this resource is invalid." : $msg; $msg = Utils::contains($msg, '401 Unauthorized') ? "ERROR: License key for this resource is invalid." : $msg;
$msg = Utils::contains($msg, '404 Not Found') ? "ERROR: Resource not found" : $msg; $msg = Utils::contains($msg, '404 Not Found') ? "ERROR: Resource not found" : $msg;
$this->admin->json_response = ['status' => 'error', 'message' => $msg]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($msg, ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -1133,7 +1133,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$json_response = ['status' => 'error', 'message' => $e->getMessage()]; $json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
$this->sendJsonResponse($json_response, 200); $this->sendJsonResponse($json_response, 200);
} }
@@ -2068,7 +2068,7 @@ class AdminController extends AdminBaseController
$debugger = $this->grav['debugger']; $debugger = $this->grav['debugger'];
$debugger->addException($e); $debugger->addException($e);
$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()]; $this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false; return false;
} }
@@ -2225,7 +2225,7 @@ class AdminController extends AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), 'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'),
$filename, 'Bad filename') htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename')
]; ];
return false; return false;
@@ -2453,7 +2453,7 @@ class AdminController extends AdminBaseController
if (!$result) { if (!$result) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
return false; return false;
@@ -2474,7 +2474,7 @@ class AdminController extends AdminBaseController
if (!$result) { if (!$result) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
return false; return false;
@@ -2489,7 +2489,7 @@ class AdminController extends AdminBaseController
if (!$found) { if (!$found) {
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'error', 'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . $filename 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
return false; return false;
@@ -2500,7 +2500,7 @@ class AdminController extends AdminBaseController
$this->admin->json_response = [ $this->admin->json_response = [
'status' => 'success', 'status' => 'success',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . $filename 'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
return true; return true;

2
classes/plugin/Controllers/AbstractController.php
View File

@@ -292,7 +292,7 @@ abstract class AbstractController implements RequestHandlerInterface
$response = [ $response = [
'code' => $code, 'code' => $code,
'status' => 'error', 'status' => 'error',
'message' => $message 'message' => htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8')
]; ];
$accept = $this->getAccept(['application/json', 'text/html']); $accept = $this->getAccept(['application/json', 'text/html']);