From ea0a5613cc40105787c3e6e9764c5c26a317c5e7 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Sun, 30 Sep 2018 15:24:29 -0600
Subject: [PATCH] XSS detection on header+content of page

---
 classes/admincontroller.php           | 11 +++++++++--
 languages/en.yaml                     |  2 +-
 themes/grav/templates/pages.html.twig |  1 +
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/classes/admincontroller.php b/classes/admincontroller.php
index 83b93c2c..f4f11072 100644
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -650,8 +650,15 @@ class AdminController extends AdminBaseController
             // XSS Checks for page content
             $xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
             if (!$this->admin->authorize($xss_whitelist)) {
-                if ($issue = Utils::detectXss($data['content'])) {
-                    $this->admin->setMessage(sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $issue),
+                $check_what = ['header' => $data['header'], 'content' => $data['content']];
+                $results = Utils::detectXssFromArray($check_what);
+                if (!empty($results)) {
+                    $results_parts = array_map(function($value, $key) {
+                        return $key.': \''.$value . '\'';
+                    }, array_values($results), array_keys($results));
+
+                    $output = implode(', ', $results_parts);
+                    $this->admin->setMessage('<i class="fa fa-ban"></i> ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $output),
                         'error');
                     return false;
                 }
diff --git a/languages/en.yaml b/languages/en.yaml
index d758afb1..e809d141 100644
--- a/languages/en.yaml
+++ b/languages/en.yaml
@@ -732,4 +732,4 @@ PLUGIN_ADMIN:
   XSS_RULES_HELP: "Be careful when tweaking these rules, a broken regex will break things badly!"
   XSS_RULE_LABEL: "Label"
   XSS_RULE_REGEX: "Regex"
-  XSS_ISSUE: "Save failed: Found potential XSS code of type: <strong>%s</strong>, please remove or disable the XSS filter in <strong>Configuration</strong> / <strong>Security</strong>."
+  XSS_ISSUE: "Save failed: Found potential XSS code in <strong>%s</strong>. Please remove or disable the XSS filter."
diff --git a/themes/grav/templates/pages.html.twig b/themes/grav/templates/pages.html.twig
index d1c0edf0..c9923980 100644
--- a/themes/grav/templates/pages.html.twig
+++ b/themes/grav/templates/pages.html.twig
@@ -322,6 +322,7 @@
 
             {# Set current form data back into page content #}
             {% if current_form_data %}
+                {% do context.header(current_form_data.header) %}
                 {% do context.content(current_form_data.content) %}
             {% endif %}
             {% if context.blueprints.fields and admin.session.expert == '0' %}