From ca8b01bcb3ad9cf5243e3c9d3f10a815f5918133 Mon Sep 17 00:00:00 2001 From: Allan Simon Date: Thu, 11 Apr 2024 16:28:08 +0000 Subject: [PATCH] Fix a XSS when using a custom format callable, it was silently bypassing twig default escape by wrapping the string in a "Markup" object that is whitelisted instead if people do need it we force them do to ->setStripTag(true) before --- src/Field/Configurator/CommonPostConfigurator.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/Field/Configurator/CommonPostConfigurator.php b/src/Field/Configurator/CommonPostConfigurator.php index 532b236e9e..3a6017fe86 100644 --- a/src/Field/Configurator/CommonPostConfigurator.php +++ b/src/Field/Configurator/CommonPostConfigurator.php @@ -7,6 +7,7 @@ use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface; use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto; use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto; +use EasyCorp\Bundle\EasyAdminBundle\Field\TextField; use EasyCorp\Bundle\EasyAdminBundle\Provider\AdminContextProvider; use function Symfony\Component\String\u; use Twig\Markup; @@ -53,6 +54,14 @@ private function buildFormattedValueOption($value, FieldDto $field, EntityDto $e $formatted = $callable($field->getValue(), $entityDto->getInstance()); + // we don't want to unintentionally allow people to add XSS vulnerabilities + // in the code just because some people need to have HTML/JS + // so that if you want know what you're doing you have to explicitly + // disable this. + if ($field->getCustomOptions(TextField::OPTION_STRIP_TAGS)) { + return $formatted; + } + // if the callable returns a string, wrap it in a Twig Markup to render the // HTML and CSS/JS elements that it might contain return \is_string($formatted) ? new Markup($formatted, $this->charset) : $formatted;