Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2025-11-03 03:46:30 +01:00
Code Issues Packages Projects Releases Activity

XSS filter

Browse Source
This commit is contained in:
Andy Miller
2018-09-29 21:18:45 -06:00
parent fe774c0014
commit c50a587a6a
3 changed files with 25 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
classes/admincontroller.php
View File

@@ -611,6 +611,8 @@ class AdminController extends AdminBaseController
$reorder = true; $reorder = true;
$data = (array)$this->data; $data = (array)$this->data;
$this->grav['twig']->twig_vars['current_form_data'] = $data;
// Special handler for user data. // Special handler for user data.
if ($this->view === 'user') { if ($this->view === 'user') {
if (!$this->grav['user']->exists()) { if (!$this->grav['user']->exists()) {
@@ -645,6 +647,17 @@ class AdminController extends AdminBaseController
// Ensure route is prefixed with a forward slash. // Ensure route is prefixed with a forward slash.
$route = '/' . ltrim($route, '/'); $route = '/' . ltrim($route, '/');
// XSS Checks for page content
$xss_whitelist = $this->grav['config']->get('security.xss_whitelist', []);
if (!$this->admin->authorize($xss_whitelist)) {
if ($issue = Utils::detectXss($data['content'])) {
$this->admin->setMessage('Save failed: Found potential XSS code of type: <strong>' . $issue . '</strong>, please remove or disable the XSS filter in <strong>Configuration</strong> / <strong>Security</strong>.',
'error');
return false;
}
}
if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) { if (isset($data['frontmatter']) && !$this->checkValidFrontmatter($data['frontmatter'])) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'), $this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_FRONTMATTER_COULD_NOT_SAVE'),
'error'); 'error');

14
themes/grav/templates/forms/fields/editor/editor.html.twig
View File

@@ -32,13 +32,13 @@
{% if field.resizer is not defined or field.resizer not in ['off', 'false', 0] %}<div class="grav-editor-resizer"></div>{% endif %} {% if field.resizer is not defined or field.resizer not in ['off', 'false', 0] %}<div class="grav-editor-resizer"></div>{% endif %}
{% if field.description %} {% if field.description %}
<div class="form-extra-wrapper {{ field.size }} {{ field.wrapper_classes }}"> <div class="form-extra-wrapper {{ field.size }} {{ field.wrapper_classes }}">
<span class="form-description"> <span class="form-description">
{% if field.markdown %} {% if field.markdown %}
{{ field.description|tu|markdown(false)|raw }} {{ field.description|tu|markdown(false)|raw }}
{% else %} {% else %}
{{ field.description|tu|raw }} {{ field.description|tu|raw }}
{% endif %} {% endif %}
</span> </span>
</div> </div>
{% endif %} {% endif %}
</div> </div>

5
themes/grav/templates/pages.html.twig
View File

@@ -132,6 +132,7 @@
{% endif %} {% endif %}
{% block titlebar %} {% block titlebar %}
<div class="button-bar"> <div class="button-bar">
{% if mode == 'list' %} {% if mode == 'list' %}
<a class="button" href="{{ base_url }}"><i class="fa fa-reply"></i> {{ "PLUGIN_ADMIN.BACK"|tu }}</a> <a class="button" href="{{ base_url }}"><i class="fa fa-reply"></i> {{ "PLUGIN_ADMIN.BACK"|tu }}</a>
@@ -319,6 +320,10 @@
</div> </div>
{# Set current form data back into page content #}
{% if current_form_data %}
{% do context.content(current_form_data.content) %}
{% endif %}
{% if context.blueprints.fields and admin.session.expert == '0' %} {% if context.blueprints.fields and admin.session.expert == '0' %}
{% include 'partials/blueprints.html.twig' with { blueprints: context.blueprints, data: context } %} {% include 'partials/blueprints.html.twig' with { blueprints: context.blueprints, data: context } %}
{% else %} {% else %}