Fix XSS in layout h1

the default layout does a `| raw` which can be exploited if the entity of your CRUD has a `__string()` method that uses some fields from the database. example to reproduce. create an entity Article with a field 'title' and a method __string() which returns it. Then put as title `<script>alert('toto')</script>` -> an XSS is triggered
EasyCorp · Apr 2, 2024 · 6fc47af · 6fc47af
1 parent df81f10
commit 6fc47af
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/src/Resources/views/crud/detail.html.twig b/src/Resources/views/crud/detail.html.twig
@@ -37,7 +37,7 @@
     {%- apply spaceless -%}
         {% set custom_page_title = ea.crud.customPageTitle(pageName, entity ? entity.instance : null, ea.i18n.translationParameters) %}
         {{ custom_page_title is null
-            ? ea.crud.defaultPageTitle(null, null, ea.i18n.translationParameters)|trans|raw
+            ? ea.crud.defaultPageTitle(null, null, ea.i18n.translationParameters)|trans
             : custom_page_title|trans|raw }}
     {%- endapply -%}
 {% endblock %}

diff --git a/src/Resources/views/crud/edit.html.twig b/src/Resources/views/crud/edit.html.twig
@@ -45,7 +45,7 @@
     {%- apply spaceless -%}
         {% set custom_page_title = ea.crud.customPageTitle(pageName, entity ? entity.instance : null, ea.i18n.translationParameters) %}
         {{ custom_page_title is null
-            ? ea.crud.defaultPageTitle(null, null, ea.i18n.translationParameters)|trans|raw
+            ? ea.crud.defaultPageTitle(null, null, ea.i18n.translationParameters)|trans
             : custom_page_title|trans|raw }}
     {%- endapply -%}
 {% endblock %}

diff --git a/src/Resources/views/crud/index.html.twig b/src/Resources/views/crud/index.html.twig
@@ -39,7 +39,7 @@
     {%- apply spaceless -%}
         {% set custom_page_title = ea.crud.customPageTitle('index', null, ea.i18n.translationParameters) %}
         {{ custom_page_title is null
-            ? ea.crud.defaultPageTitle('index', null, ea.i18n.translationParameters)|trans|raw
+            ? ea.crud.defaultPageTitle('index', null, ea.i18n.translationParameters)|trans
             : custom_page_title|trans|raw }}
     {%- endapply -%}
 {% endblock %}

diff --git a/src/Resources/views/crud/new.html.twig b/src/Resources/views/crud/new.html.twig
@@ -45,7 +45,7 @@
     {%- apply spaceless -%}
         {% set custom_page_title = ea.crud.customPageTitle('new', null, ea.i18n.translationParameters) %}
         {{ custom_page_title is null
-            ? ea.crud.defaultPageTitle('new', null, ea.i18n.translationParameters)|trans|raw
+            ? ea.crud.defaultPageTitle('new', null, ea.i18n.translationParameters)|trans
             : custom_page_title|trans|raw }}
     {%- endapply -%}
 {% endblock %}