Merge pull request #93 from iseries/iseries-patch-xss

[FIX] Improved security for import output to protect against XSS
neos · Aug 3, 2023 · 54aea2a · 54aea2a
2 parents f318460 + ba5808a
commit 54aea2a
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/Resources/Private/FusionModule/Components/ImportProtocol.fusion b/Resources/Private/FusionModule/Components/ImportProtocol.fusion
@@ -20,9 +20,9 @@ prototype(Neos.RedirectHandler.Ui:Component.ImportProtocol) < prototype(Neos.Fus
                         <i class="fas fa-equals" @if.type={entry.type == 'unchanged'}></i>
                     </td>
                     <td class={props.className + '-entry__label'}>
-                        {entry.message}
+                        {String.htmlSpecialChars(entry.message)}
                         <span @if.hasRedirect={entry.redirect}>
-                            {entry.redirect.host}/{entry.redirect.sourceUriPath} &rarr; {entry.redirect.targetUriPath} ({entry.redirect.statusCode})
+                            {String.htmlSpecialChars(entry.redirect.host)}/{String.htmlSpecialChars(entry.redirect.sourceUriPath)} &rarr; {String.htmlSpecialChars(entry.redirect.targetUriPath)} ({String.htmlSpecialChars(entry.redirect.statusCode)})
                         </span>
                     </td>
                     <td>
@@ -37,7 +37,7 @@ prototype(Neos.RedirectHandler.Ui:Component.ImportProtocol) < prototype(Neos.Fus
                     </td>
                     <td title={entry.redirect.comment}>
                         <span @if.comment={entry.redirect.comment}>
-                            {String.crop(entry.redirect.comment, 25, '&#8230;') || '&ndash;'}
+                            {String.crop(String.htmlSpecialChars(entry.redirect.comment), 25, '&#8230;') || '&ndash;'}
                         </span>
                     </td>
                 </tr>