EasyAdminBundle icon indicating copy to clipboard operation
EasyAdminBundle copied to clipboard

Published 20 hours ago verified publisher icon EasyCorp

Fix XSS when using setFormatValue($callable)

Open allan-simon opened this issue 1 year ago • 2 comments

instead if people do need it we force them do to

->setStripTag(true) before

Example to reproduce create two entities Comment and Author in the Comment crud controller do the following

        yield AssociationField::new('author', 'Author of the comment')
            ->formatValue(function ($value, Author $author) {
                 return $author->getName();
            });

if the author's name contains <script>alert("coucou")</script> it will inject a XSS in the admin

instead with this PR you will be required to do

        yield AssociationField::new('author', 'Author of the comment')
           ->stripTag(false)
            ->formatValue(function ($value, Author $author) {
                 return $author->getName();
            });

if you want to intentionnaly disable it

allan-simon avatar Apr 11 '24 16:04 allan-simon

here I really think it's a bug , because TextField::setFormatValue is safe by default , while associationField::setFormatValue is not

allan-simon avatar Apr 17 '24 22:04 allan-simon

@javiereguiluz do you agree with me here (so that I know if it's worth it to fix the PR )

allan-simon avatar Apr 17 '24 23:04 allan-simon