Headline
CVE-2023-0827: [Task] Improve check validity (#14301) · pimcore/pimcore@f405058
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 1.5.17.
@@ -177,10 +177,15 @@ public function checkValidity($data, $omitMandatoryCheck = false, $params = [])
if (is_array($data)) {
/** @var Model\DataObject\Data\UrlSlug $item */
foreach ($data as $item) {
$slug = $item->getSlug();
$slug = htmlspecialchars($item->getSlug());
$foundSlug = true;
if (strlen($slug) > 0) {
$slugToCompare = preg_replace('/[#\?\*\:\\\\<\>\|"%&@=;]/’, '-', $item->getSlug());
if($item->getSlug() !== $slugToCompare){
throw new Model\Element\ValidationException(‘Slug contains forbidden characters!’);
}
$document = Model\Document::getByPath($slug);
if ($document) {
throw new Model\Element\ValidationException(‘Slug must be unique. Found conflict with document path "’ . $slug . ‘"’);