cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [settings:settingField] Enforce sanitization of input fields 

- As reported by Dawid Czarnecki from Zigrin Security
cli-modification-summary
Sami Mokaddem 2022-02-07 11:43:09 +01:00
parent 336dfb091c
commit e13b4e7bc5
No known key found for this signature in database
GPG Key ID: 164C473F627A06FA
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
templates/element/Settings/field.php
View File

@ -13,11 +13,11 @@
(!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''), (!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''),
], ],
($setting['type'] == 'textarea' ? '' : 'type') => ($setting['type'] == 'textarea' ? '' : 'text'), ($setting['type'] == 'textarea' ? '' : 'type') => ($setting['type'] == 'textarea' ? '' : 'text'),
'id' => $settingId, 'id' => h($settingId),
'data-setting-name' => $settingName, 'data-setting-name' => h($settingName),
'value' => isset($setting['value']) ? $setting['value'] : "", 'value' => isset($setting['value']) ? h($setting['value']) : "",
'placeholder' => $setting['default'] ?? '', 'placeholder' => empty($setting['default']) ? '' : h($setting['default']),
'aria-describedby' => "{$settingId}Help" 'aria-describedby' => h("{$settingId}Help")
] ]
); );
})($settingName, $setting, $this); })($settingName, $setting, $this);
@ -28,13 +28,13 @@
return $this->Bootstrap->switch([ return $this->Bootstrap->switch([
'label' => h($setting['description']), 'label' => h($setting['description']),
'checked' => !empty($setting['value']), 'checked' => !empty($setting['value']),
'id' => $settingId, 'id' => h($settingId),
'class' => [ 'class' => [
(!empty($setting['error']) ? 'is-invalid' : ''), (!empty($setting['error']) ? 'is-invalid' : ''),
(!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''), (!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''),
], ],
'attrs' => [ 'attrs' => [
'data-setting-name' => $settingName 'data-setting-name' => h($settingName)
] ]
]); ]);
})($settingName, $setting, $this); })($settingName, $setting, $this);
@ -53,16 +53,16 @@
'type' => 'number', 'type' => 'number',
'min' => '0', 'min' => '0',
'step' => 1, 'step' => 1,
'id' => $settingId, 'id' => h($settingId),
'data-setting-name' => $settingName, 'data-setting-name' => h($settingName),
'aria-describedby' => "{$settingId}Help" 'aria-describedby' => h("{$settingId}Help")
]); ]);
})($settingName, $setting, $this); })($settingName, $setting, $this);
} elseif ($setting['type'] == 'select' || $setting['type'] == 'multi-select') { } elseif ($setting['type'] == 'select' || $setting['type'] == 'multi-select') {
$input = (function ($settingName, $setting, $appView) { $input = (function ($settingName, $setting, $appView) {
$settingId = str_replace('.', '_', $settingName); $settingId = str_replace('.', '_', $settingName);
$setting['value'] = $setting['value'] ?? ''; $setting['value'] = empty($setting['value']) ? '' : h($setting['value']);
if ($setting['type'] == 'multi-select') { if ($setting['type'] == 'multi-select') {
if (!is_array($setting['value'])) { if (!is_array($setting['value'])) {
$firstChar = substr($setting['value'], 0, 1); $firstChar = substr($setting['value'], 0, 1);
@ -77,7 +77,7 @@
foreach ($setting['options'] as $key => $value) { foreach ($setting['options'] as $key => $value) {
$optionParam = [ $optionParam = [
'class' => [], 'class' => [],
'value' => $key, 'value' => h($key),
]; ];
if ($setting['type'] == 'multi-select') { if ($setting['type'] == 'multi-select') {
if (in_array($key, $setting['value'])) { if (in_array($key, $setting['value'])) {
@ -100,10 +100,10 @@
(!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''), (!empty($setting['error']) ? $appView->get('variantFromSeverity')[$setting['severity']] : ''),
], ],
($setting['type'] == 'multi-select' ? 'multiple' : '') => ($setting['type'] == 'multi-select' ? 'multiple' : ''), ($setting['type'] == 'multi-select' ? 'multiple' : '') => ($setting['type'] == 'multi-select' ? 'multiple' : ''),
'id' => $settingId, 'id' => h($settingId),
'data-setting-name' => $settingName, 'data-setting-name' => h($settingName),
'placeholder' => $setting['default'] ?? '', 'placeholder' => empty($setting['default']) ? '' : h($setting['default']),
'aria-describedby' => "{$settingId}Help" 'aria-describedby' => h("{$settingId}Help")
], $options); ], $options);
})($settingName, $setting, $this); })($settingName, $setting, $this);
} }