Fix a XSS when using a custom format callable, it was silently bypass…

…ing twig default escape by wrapping the string in a "Markup" object that is whitelisted instead if people do need it we force them do to ->setStripTag(true) before
EasyCorp · Apr 11, 2024 · 0c8aa0f · 0c8aa0f
1 parent ca8b01b
commit 0c8aa0f
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 19 deletions.
diff --git a/src/Field/Configurator/CommonPostConfigurator.php b/src/Field/Configurator/CommonPostConfigurator.php
@@ -7,7 +7,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
-use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
+use EasyCorp\Bundle\EasyAdminBundle\Field\FieldTrait;
 use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider;
 use function Symfony\Component\String\u;
 use Twig\Markup;
@@ -58,7 +58,7 @@ private function buildFormattedValueOption($value, FieldDto $field, EntityDto $e
         // in the code just because some people need to have HTML/JS
         // so that if you want know what you're doing you have to explicitly
         // disable this.
-        if ($field->getCustomOptions(TextField::OPTION_STRIP_TAGS)) {
+        if ($field->getCustomOption(FieldTrait::OPTION_STRIP_TAGS) ?? true) {
             return $formatted;
         }
 

diff --git a/src/Field/FieldTrait.php b/src/Field/FieldTrait.php
@@ -16,6 +16,8 @@
  */
 trait FieldTrait
 {
+    public const OPTION_STRIP_TAGS = 'stripTags';
+
     private FieldDto $dto;
 
     private function __construct()
@@ -337,6 +339,13 @@ public function setCustomOptions(array $options): self
 
         return $this;
     }
+
+    public function stripTags(bool $stripTags = true): self
+    {
+        $this->setCustomOption(self::OPTION_STRIP_TAGS, $stripTags);
+
+        return $this;
+    }
 
     public function hideOnDetail(): self
     {

diff --git a/src/Field/TextField.php b/src/Field/TextField.php
@@ -15,7 +15,6 @@ final class TextField implements FieldInterface
 
     public const OPTION_MAX_LENGTH = 'maxLength';
     public const OPTION_RENDER_AS_HTML = 'renderAsHtml';
-    public const OPTION_STRIP_TAGS = 'stripTags';
 
     /**
      * @param TranslatableInterface|string|false|null $label
@@ -55,11 +54,4 @@ public function renderAsHtml(bool $asHtml = true): self
 
         return $this;
     }
-
-    public function stripTags(bool $stripTags = true): self
-    {
-        $this->setCustomOption(self::OPTION_STRIP_TAGS, $stripTags);
-
-        return $this;
-    }
 }
diff --git a/src/Field/TextareaField.php b/src/Field/TextareaField.php
@@ -17,8 +17,6 @@ final class TextareaField implements FieldInterface
     public const OPTION_MAX_LENGTH = TextField::OPTION_MAX_LENGTH;
     public const OPTION_NUM_OF_ROWS = 'numOfRows';
     public const OPTION_RENDER_AS_HTML = TextField::OPTION_RENDER_AS_HTML;
-    public const OPTION_STRIP_TAGS = TextField::OPTION_STRIP_TAGS;
-
     /**
      * @param TranslatableInterface|string|false|null $label
      */
@@ -70,11 +68,4 @@ public function renderAsHtml(bool $asHtml = true): self
 
         return $this;
     }
-
-    public function stripTags(bool $stripTags = true): self
-    {
-        $this->setCustomOption(self::OPTION_STRIP_TAGS, $stripTags);
-
-        return $this;
-    }
 }