Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2026-05-06 10:06:12 +02:00
Code Issues Packages Projects Releases Activity

XSS filter

Browse Source
This commit is contained in:
Andy Miller
2018-09-29 21:18:45 -06:00
parent fe774c0014
commit c50a587a6a
3 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
classes/admincontroller.php
View File

@@ -611,6 +611,8 @@ class AdminController extends AdminBaseController
$reorder = true;
$data = (array)$this->data;
$this->grav['twig']->twig_vars['current_form_data'] = $data;
// Special handler for user data.
if ($this->view === 'user') {
if (!$this->grav['user']->exists()) {
@@ -645,6 +647,17 @@ class AdminController extends AdminBaseController
// Ensure route is prefixed with a forward slash.
$route = '/' . ltrim($route, '/');
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', []);
if (!$this->admin->authorize($xss_whitelist)) {
if ($issue = Utils::detectXss($data['content'])) {
$this->admin->setMessage('Save failed: Found potential XSS code of type: <strong>' . $issue . '</strong>, please remove or disable the XSS filter in <strong>Configuration</strong> / <strong>Security</strong>.',
'error');
return false;
}
}
if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'),
'error');