Skip to content

Commit cef123f

Browse files
jissereitsmajissereitsma
committed
Add escaping of template code
1 parent cf990fe commit cef123f

6 files changed

Lines changed: 15 additions & 15 deletions

File tree

view/adminhtml/templates/form/field.phtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ if (!empty($depends)) {
4040
$dependStatement = 'x-show="item.'.$depends['propertyName'] . " == '".$depends['propertyValue']."'\"";
4141
}
4242
?>
43-
<div class="admin__field" <?= $dependStatement ?>>
43+
<div class="admin__field" <?= $escaper->escapeHtml($dependStatement) ?>>
4444
<div class="admin__field-label">
4545
<label for="<?= $escaper->escapeHtml($field->getCode()) ?>">
4646
<span><?= $escaper->escapeHtml($field->getLabel()) ?></span>

view/adminhtml/templates/form/field_type/entity_select.phtml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,9 @@ $valueCode = $entitySelect->getValueCode();
4343
<div
4444
x-data="LokiAdminFormEntitySelectComponent"
4545
@keyup.esc="closeWrapper"
46-
data-value-code="<?= $valueCode ?>"
46+
data-value-code="<?= $escaper->escapeHtml($valueCode) ?>"
4747
>
48-
<script x-ref="initialData" type="text/x-loki-init"><?= $entitySelect->getJsonData() ?></script>
48+
<script x-ref="initialData" type="text/x-loki-init"><?= $escaper->escapeHtml($entitySelect->getJsonData()) ?></script>
4949

5050
<div class="input-with-button">
5151
<input
@@ -60,7 +60,7 @@ $valueCode = $entitySelect->getValueCode();
6060
@change="<?= $escaper->escapeHtml($field->getAlpineSetter()) ?>"
6161
>
6262

63-
<button @click="showModalWrapper"><?= __($buttonLabel) ?></button>
63+
<button @click="showModalWrapper"><?= $escaper->escapeHtml(__($buttonLabel)) ?></button>
6464
</div>
6565

6666
<template x-teleport="body">
@@ -74,7 +74,7 @@ $valueCode = $entitySelect->getValueCode();
7474
<div class="modal-inner-wrap" style="padding:20px;">
7575
<header class="modal-header">
7676
<h1 class="modal-title" data-role="title">
77-
<?= $modalTitle ?>
77+
<?= $escaper->escapeHtml($modalTitle) ?>
7878
</h1>
7979
<button
8080
@click="closeWrapper"
@@ -115,7 +115,7 @@ $valueCode = $entitySelect->getValueCode();
115115
<?php foreach ($columns as $column) : ?>
116116
<th class="data-grid-th">
117117
<span class="data-grid-cell-content">
118-
<?= $column->getLabel() ?>
118+
<?= $escaper->escapeHtml($column->getLabel()) ?>
119119
</span>
120120
</th>
121121
<?php endforeach; ?>
@@ -130,7 +130,7 @@ $valueCode = $entitySelect->getValueCode();
130130
</td>
131131
<?php foreach ($columns as $column) : ?>
132132
<td class="data-grid-cell">
133-
<div class="data-grid-cell-content" x-html="entity.<?= $column->getCode() ?>"></div>
133+
<div class="data-grid-cell-content" x-html="entity.<?= $escaper->escapeHtml($column->getCode()) ?>"></div>
134134
</td>
135135
<?php endforeach; ?>
136136
</tr>

view/adminhtml/templates/form/field_type/entity_select/table.phtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,15 +141,15 @@ $state = $viewModel->getState();
141141

142142
<?php if ($cellAction->hasJsMethod()): ?>
143143
<a
144-
data-id="<?= $item->getId() ?>"
144+
data-id="<?= $escaper->escapeHtml($item->getId()) ?>"
145145
onClick="<?= /* @noEscape */ $cellAction->getJsMethod() ?>"><
146146
<?= $escaper->escapeHtml( $cellAction->getLabel()) ?>
147147
</a>
148148
<?php endif; ?>
149149

150150
<?php if ($cellAction->hasAlpineMethod()): ?>
151151
<a
152-
data-id="<?= $item->getId() ?>"
152+
data-id="<?= $escaper->escapeHtml($item->getId()) ?>"
153153
@click="<?= /* @noEscape */ $cellAction->getAlpineMethod() ?>">
154154
<?= $escaper->escapeHtml($cellAction->getLabel()) ?>
155155
</a>

view/adminhtml/templates/grid/table.phtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,15 +138,15 @@ $state = $viewModel->getState();
138138

139139
<?php if ($cellAction->hasJsMethod()): ?>
140140
<a
141-
data-id="<?= $item->getId() ?>"
141+
data-id="<?= $escaper->escapeHtml($item->getId()) ?>"
142142
onClick="<?= /* @noEscape */ $cellAction->getJsMethod() ?>"><
143143
<?= $escaper->escapeHtml( $cellAction->getLabel()) ?>
144144
</a>
145145
<?php endif; ?>
146146

147147
<?php if ($cellAction->hasAlpineMethod()): ?>
148148
<a
149-
data-id="<?= $item->getId() ?>"
149+
data-id="<?= $escaper->escapeHtml($item->getId()) ?>"
150150
@click="<?= /* @noEscape */ $cellAction->getAlpineMethod() ?>">
151151
<?= $escaper->escapeHtml($cellAction->getLabel()) ?>
152152
</a>

view/adminhtml/templates/script/component/editor-component.phtml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,9 @@ $editor = $viewModelFactory->create(Editor::class);
2424
tinymce.init({
2525
target: this.$refs.editor,
2626
height: 500,
27-
plugins: JSON.parse('<?= $editor->getPluginsAsJson() ?>'),
28-
toolbar: '<?= $editor->getToolbarAsString() ?>',
29-
content_style: '<?= $editor->getContentStyle() ?>',
27+
plugins: JSON.parse('<?= $escaper->escapeHtml($editor->getPluginsAsJson()) ?>'),
28+
toolbar: '<?= $escaper->escapeHtml($editor->getToolbarAsString()) ?>',
29+
content_style: '<?= $escaper->escapeHtml($editor->getContentStyle()) ?>',
3030
setup(editor) {
3131
editor.on('change keyup input', () => {
3232
item[identifier] = editor.getContent();

view/adminhtml/templates/script/component/pagebuilder-component.phtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
const elementId = this.$refs.textarea.getAttribute('id');
88
const componentName = this.$refs.textarea.getAttribute('data-component-scope');
99

10-
const componentConfig = JSON.parse('<?= $editor->getComponentConfigAsJson() ?>');
10+
const componentConfig = JSON.parse('<?= $escaper->escapeHtml($editor->getComponentConfigAsJson()) ?>');
1111

1212
return;
1313
require([

0 commit comments

Comments
 (0)