XSS bei Admins möglich. getNameLocalized und die Aufrufe dazu, angepa…

…sst #1482
yakamara · Mar 4, 2024 · c6db7d8 · c6db7d8
1 parent 67d860c
commit c6db7d8
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 26 deletions.
diff --git a/plugins/manager/boot.php b/plugins/manager/boot.php
@@ -47,7 +47,7 @@
     $prio = 1;
     foreach ($tables as $table) {
         if ($table->isActive() && $table->isGranted('VIEW', rex::getUser())) {
-            $be_page = new rex_be_page_main('yform_tables', $table->getTableName(), $table->getNameLocalized());
+            $be_page = new rex_be_page_main('yform_tables', $table->getTableName(), rex_escape($table->getNameLocalized()));
             $be_page->setHref('index.php?page=yform/manager/data_edit&table_name=' . $table->getTableName());
             $be_page->setIcon('rex-icon rex-icon-module');
             $be_page->setPrio($prio);
@@ -82,8 +82,8 @@
     $this->setProperty('pages', $pages);
 }
 
-\rex_extension::register('MEDIA_IS_IN_USE', 'rex_yform_value_be_media::isMediaInUse');
-\rex_extension::register('PACKAGES_INCLUDED', 'rex_yform_value_be_link::isArticleInUse');
+rex_extension::register('MEDIA_IS_IN_USE', 'rex_yform_value_be_media::isMediaInUse');
+rex_extension::register('PACKAGES_INCLUDED', 'rex_yform_value_be_link::isArticleInUse');
 
 rex_extension::register('YFORM_SAVED', static function (rex_extension_point $ep) {
     if ($ep->getSubject() instanceof Exception) {

diff --git a/plugins/manager/lib/yform/manager.php b/plugins/manager/lib/yform/manager.php
@@ -127,12 +127,12 @@ public function getDataPage()
             $this->setLinkVars($searchObject->getSearchVars());
         }
 
-        $description = $popup || ('' == $this->table->getDescription()) ? '' : '<br />' . $this->table->getDescription();
+        $description = $popup || ('' == $this->table->getDescription()) ? '' : '<p>' . nl2br(rex_escape($this->table->getDescription())) . '</p>';
 
         echo rex_extension::registerPoint(
             new rex_extension_point(
                 'YFORM_MANAGER_DATA_PAGE_HEADER',
-                rex_view::title(rex_i18n::msg('yform_table') . ': ' . $this->table->getNameLocalized() . ' <small>[' . $this->table->getTablename() . ']' . $description . '</small>', ''),
+                rex_view::title(rex_i18n::msg('yform_table') . ': ' . rex_escape($this->table->getNameLocalized()) . ' <small>[' . rex_escape($this->table->getTablename()) . ']</small>', '') . $description,
                 [
                     'yform' => $this,
                 ],
@@ -368,7 +368,6 @@ public function getDataPage()
                         $sql_db = rex_sql::factory();
                         $form = '';
                         $sql_db->transactional(static function () use (&$form, &$yform, $data, $func) {
-
                             $afterFieldsExecuted = static function (rex_yform $yform) {
                                 /** @var rex_yform_value_abstract $valueObject */
                                 foreach ($yform->objparams['values'] as $valueObject) {
@@ -414,7 +413,6 @@ public function getDataPage()
                             }
 
                             $form = $data->executeForm($yform, $afterFieldsExecuted);
-
                         });
 
                         if ($yform->objparams['actions_executed']) {
@@ -502,14 +500,12 @@ public function getDataPage()
                                 ];
                             }
                         }
-
-                    } catch (\Throwable $e) {
+                    } catch (Throwable $e) {
                         $mainMessages[] = [
                             'type' => 'error',
                             'message' => rex_i18n::msg('yform_editdata_collection_error_abort', $e->getMessage()),
                         ];
                     }
-
                 }
                 break;
         }
@@ -785,7 +781,7 @@ public function getFieldPage()
 
         $table = $this->table;
 
-        $table_info = '<b>' . $table->getNameLocalized() . ' [<a href="index.php?page=yform/manager/table_edit&start=0&table_id=' . $table->getId() . '&func=edit">' . $table->getTableName() . '</a>]</b> ';
+        $table_info = '<b>' . rex_escape($table->getNameLocalized()) . ' [<a href="index.php?page=yform/manager/table_edit&start=0&table_id=' . $table->getId() . '&func=edit">' . $table->getTableName() . '</a>]</b> ';
         echo rex_view::info($table_info);
 
         $_csrf_key = $this->table->getCSRFKey();

diff --git a/plugins/manager/lib/yform/manager/table.php b/plugins/manager/lib/yform/manager/table.php
@@ -15,15 +15,15 @@ final class rex_yform_manager_table implements ArrayAccess
     protected $values = [];
     protected $columns = [];
 
-    /** @var rex_yform_manager_field[] */
+    /** @var array<rex_yform_manager_field> */
     protected $fields = [];
 
-    /** @var rex_yform_manager_field[] */
+    /** @var array<rex_yform_manager_field> */
     protected $relations;
 
     protected static bool $debug = false;
 
-    /** @var self[] */
+    /** @var array<self> */
     protected static $tables = [];
     protected static bool $loadedAllTables = false;
 
@@ -56,7 +56,7 @@ public function getTableLayout(): string
     /**
      * @param string $tableName
      *
-     * @return null|rex_yform_manager_table
+     * @return rex_yform_manager_table|null
      */
     public static function get($tableName)
     {
@@ -102,7 +102,7 @@ public static function getById(int $tableID)
     }
 
     /**
-     * @return rex_yform_manager_table[]
+     * @return array<rex_yform_manager_table>
      */
     public static function getAll()
     {
@@ -145,11 +145,11 @@ public function getNameLocalized(): string
         if ($name === $table_name) {
             $name = 'translate:' . $name;
         }
-        $name = rex_i18n::translate($name);
+        $name = rex_i18n::translate($name, false);
         if (preg_match('/^\[translate:(.*?)\]$/', $name, $match)) {
             $name = $match[1];
         }
-        return \rex_i18n::translate($name);
+        return rex_i18n::translate($name, false);
     }
 
     public function getId()
@@ -244,7 +244,7 @@ public function getDescription(): string
     /**
      * Fields of yform Definitions.
      *
-     * @return rex_yform_manager_field[]
+     * @return array<rex_yform_manager_field>
      */
     public function getFields(array $filter = [])
     {
@@ -274,7 +274,7 @@ public function getFields(array $filter = [])
     }
 
     /**
-     * @return rex_yform_manager_field[]
+     * @return array<rex_yform_manager_field>
      */
     public function getValueFields(array $filter = [])
     {
@@ -300,7 +300,7 @@ public function getValueField($name)
     }
 
     /**
-     * @return rex_yform_manager_field[]
+     * @return array<rex_yform_manager_field>
      */
     public function getRelations()
     {
@@ -314,7 +314,7 @@ public function getRelations()
     /**
      * @param string $table
      *
-     * @return rex_yform_manager_field[]
+     * @return array<rex_yform_manager_field>
      */
     public function getRelationsTo($table)
     {
@@ -429,7 +429,7 @@ public function createDataset()
     /**
      * @param int $id
      *
-     * @return null|rex_yform_manager_dataset
+     * @return rex_yform_manager_dataset|null
      */
     public function getDataset($id)
     {

diff --git a/plugins/manager/lib/yform/manager/table/perm/edit.php b/plugins/manager/lib/yform/manager/table/perm/edit.php
@@ -14,7 +14,7 @@ public static function getFieldParams()
     {
         $arrayOptions = [];
         foreach (rex_yform_manager_table::getAll() as $table) {
-            $arrayOptions[$table->getTableName()] = rex_i18n::translate($table->getName()) . ' [' . $table->getTableName() . ']';
+            $arrayOptions[$table->getTableName()] = $table->getNameLocalized() . ' [' . $table->getTableName() . ']';
         }
 
         return [

diff --git a/plugins/manager/lib/yform/manager/table/perm/view.php b/plugins/manager/lib/yform/manager/table/perm/view.php
@@ -14,7 +14,7 @@ public static function getFieldParams()
     {
         $arrayOptions = [];
         foreach (rex_yform_manager_table::getAll() as $table) {
-            $arrayOptions[$table->getTableName()] = rex_i18n::translate($table->getName()) . ' [' . $table->getTableName() . ']';
+            $arrayOptions[$table->getTableName()] = $table->getNameLocalized() . ' [' . $table->getTableName() . ']';
         }
 
         return [

diff --git a/plugins/manager/pages/tableset_export.php b/plugins/manager/pages/tableset_export.php
@@ -15,7 +15,7 @@
 $yform_tables = [];
 foreach (rex_yform_manager_table::getAll() as $g_table) {
     $table_name = $g_table->getTableName();
-    $yform_tables[$table_name] = rex_i18n::translate($g_table->getNameLocalized()) . ' [' . $table_name . ']';
+    $yform_tables[$table_name] = $g_table->getNameLocalized() . ' [' . $table_name . ']';
 }
 
 $yform = new rex_yform();