murph/murph-skeleton
murph
/
murph-skeleton
2
2
Fork 0
Code Issues Pull Requests Packages Projects Releases 34 Wiki Activity

add security in twig filters

This commit is contained in:
Simon Vieille 2021-06-16 20:00:35 +02:00
parent 136105a530
commit 069f93c1c6
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/Twig/Extension/CrudExtension.php
View File

@ -38,6 +38,7 @@ class CrudExtension extends AbstractExtension
$field = $config['field'];
$instance = new $field();
$resolver = $instance->configureOptions(new OptionsResolver());
$flags = ENT_HTML5 | ENT_QUOTES;
$render = $instance->buildView($this->twig, $entity, $resolver->resolve($config['options']), $locale);
@ -59,7 +60,7 @@ class CrudExtension extends AbstractExtension
}
foreach ($attrs as $k => $v) {
$attributes .= sprintf(' %s="%s" ', htmlspecialchars($k), htmlspecialchars($v));
$attributes .= sprintf(' %s="%s" ', htmlspecialchars($k, $flags), htmlspecialchars($v, $flags));
}
$render = sprintf('<a%s>%s</a>', $attributes, $render);

2
core/Twig/Extension/FileInformationExtension.php
View File

@ -72,7 +72,7 @@ class FileInformationExtension extends AbstractExtension
if ($fileInfo) {
foreach ($fileInfo->getAttributes() as $attribute) {
if ($attribute['label'] === $label) {
$value = $attribute['value'];
$value = htmlspecialchars($attribute['value'], ENT_HTML5 | ENT_QUOTES);
}
}
}

2
core/Twig/Extension/UrlExtension.php
View File

@ -27,7 +27,7 @@ class UrlExtension extends AbstractExtension
public function replaceUrl(?string $content)
{
preg_match_all('#\{\{\s*url://(?P<route>[a-z_]+)(\?(?P<params>.*))?\s*\}\}#isU', $content, $match, PREG_SET_ORDER);
preg_match_all('#\{\{\s*url://(?P<route>[a-z0-9_]+)(\?(?P<params>.*))?\s*\}\}#isU', $content, $match, PREG_SET_ORDER);
foreach ($match as $block) {
$url = null;