XSS detection on header+content of page

2026-02-20 21:47:59 +01:00 · 2018-09-30 15:24:29 -06:00
parent c95b814c4b
commit ea0a5613cc
3 changed files with 11 additions and 3 deletions
--- a/classes/admincontroller.php
+++ b/classes/admincontroller.php
@@ -650,8 +650,15 @@ class AdminController extends AdminBaseController
            // XSS Checks for page content
            $xss_whitelist = $this->grav['config']->get('security.xss_whitelist', 'admin.super');
            if (!$this->admin->authorize($xss_whitelist)) {
-                if ($issue = Utils::detectXss($data['content'])) {
-                    $this->admin->setMessage(sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $issue),
+                $check_what = ['header' => $data['header'], 'content' => $data['content']];
+                $results = Utils::detectXssFromArray($check_what);
+                if (!empty($results)) {
+                    $results_parts = array_map(function($value, $key) {
+                        return $key.': \''.$value . '\'';
+                    }, array_values($results), array_keys($results));
+
+                    $output = implode(', ', $results_parts);
+                    $this->admin->setMessage('<i class="fa fa-ban"></i> ' . sprintf($this->admin->translate('PLUGIN_ADMIN.XSS_ISSUE'), $output),
                        'error');
                    return false;
                }