add security in twig filters
This commit is contained in:
parent
136105a530
commit
069f93c1c6
|
@ -38,6 +38,7 @@ class CrudExtension extends AbstractExtension
|
||||||
$field = $config['field'];
|
$field = $config['field'];
|
||||||
$instance = new $field();
|
$instance = new $field();
|
||||||
$resolver = $instance->configureOptions(new OptionsResolver());
|
$resolver = $instance->configureOptions(new OptionsResolver());
|
||||||
|
$flags = ENT_HTML5 | ENT_QUOTES;
|
||||||
|
|
||||||
$render = $instance->buildView($this->twig, $entity, $resolver->resolve($config['options']), $locale);
|
$render = $instance->buildView($this->twig, $entity, $resolver->resolve($config['options']), $locale);
|
||||||
|
|
||||||
|
@ -59,7 +60,7 @@ class CrudExtension extends AbstractExtension
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ($attrs as $k => $v) {
|
foreach ($attrs as $k => $v) {
|
||||||
$attributes .= sprintf(' %s="%s" ', htmlspecialchars($k), htmlspecialchars($v));
|
$attributes .= sprintf(' %s="%s" ', htmlspecialchars($k, $flags), htmlspecialchars($v, $flags));
|
||||||
}
|
}
|
||||||
|
|
||||||
$render = sprintf('<a%s>%s</a>', $attributes, $render);
|
$render = sprintf('<a%s>%s</a>', $attributes, $render);
|
||||||
|
|
|
@ -72,7 +72,7 @@ class FileInformationExtension extends AbstractExtension
|
||||||
if ($fileInfo) {
|
if ($fileInfo) {
|
||||||
foreach ($fileInfo->getAttributes() as $attribute) {
|
foreach ($fileInfo->getAttributes() as $attribute) {
|
||||||
if ($attribute['label'] === $label) {
|
if ($attribute['label'] === $label) {
|
||||||
$value = $attribute['value'];
|
$value = htmlspecialchars($attribute['value'], ENT_HTML5 | ENT_QUOTES);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,7 +27,7 @@ class UrlExtension extends AbstractExtension
|
||||||
|
|
||||||
public function replaceUrl(?string $content)
|
public function replaceUrl(?string $content)
|
||||||
{
|
{
|
||||||
preg_match_all('#\{\{\s*url://(?P<route>[a-z_]+)(\?(?P<params>.*))?\s*\}\}#isU', $content, $match, PREG_SET_ORDER);
|
preg_match_all('#\{\{\s*url://(?P<route>[a-z0-9_]+)(\?(?P<params>.*))?\s*\}\}#isU', $content, $match, PREG_SET_ORDER);
|
||||||
|
|
||||||
foreach ($match as $block) {
|
foreach ($match as $block) {
|
||||||
$url = null;
|
$url = null;
|
||||||
|
|
Loading…
Reference in a new issue