運営ユーザーが実行できないスクリプトイベントに「onerror」を追加、コンテンツ一覧でコンテンツを新規登録する際の通知メッセージをサニタイズ

baserproject · Oct 24, 2024 · ffc5df0 · ffc5df0
1 parent 0623a4f
commit ffc5df0
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 13 deletions.
diff --git a/plugins/baser-core/src/Model/Validation/BcValidation.php b/plugins/baser-core/src/Model/Validation/BcValidation.php
@@ -475,7 +475,7 @@ public static function containsScript($value)
         if (!$value) return true;
         $events = ['onclick', 'ondblclick', 'onmousedown', 'onmouseup', 'onmouseover', 'onmousemove',
             'onmouseout', 'onkeypress', 'onkeydown', 'onkeyup', 'onload', 'onunload',
-            'onfocus', 'onblur', 'onsubmit', 'onreset', 'onselect', 'onchange'];
+            'onfocus', 'onblur', 'onsubmit', 'onreset', 'onselect', 'onchange', 'onerror'];
         if (BcUtil::isAdminUser() || Configure::read('BcApp.allowedPhpOtherThanAdmins')) {
             return true;
         }

diff --git a/plugins/bc-admin-third/src/js/admin/_lib/jquery.bcTree.js b/plugins/bc-admin-third/src/js/admin/_lib/jquery.bcTree.js
@@ -1037,11 +1037,7 @@
                         data.name = result.content.name;
                         data.contentEntityId = result.content.entity_id;
                         data.contentTitle = result.content.title;
-                        data.contentTitle = data.contentTitle.replace(/&/g, '&amp;')
-                            .replace(/"/g, '&quot;')
-                            .replace(/'/g, '&#039;')
-                            .replace(/</g, '&lt;')
-                            .replace(/>/g, '&gt;');
+
                         $.ajax($.bcUtil.apiAdminBaseUrl + 'baser-core/contents/get_full_url/' + data.contentId + '.json', {
                             type: 'GET',
                             dataType: 'json'
@@ -1103,9 +1099,7 @@
                             $.bcUtil.showLoader();
                         },
                         success: function (result) {
-                            if (!result) {
-                                $.bcUtil.showNoticeMessage(result.message);
-                            }
+                            $.bcUtil.showNoticeMessage(result.message);
                             $.bcTree.settings[node.data.jstree.contentType]['existsTitle'] = editNode.text;
                             editNode.data.jstree.contentFullUrl = result.url;
                             editNode.data.jstree.name = result.name;

diff --git a/plugins/bc-admin-third/src/js/admin/_lib/jquery.bcUtil.js b/plugins/bc-admin-third/src/js/admin/_lib/jquery.bcUtil.js
@@ -112,6 +112,11 @@ import Cookies from 'js-cookie'
          * @param message
          */
         showNoticeMessage: function (message) {
+            message = message.replace(/&/g, '&amp;')
+                .replace(/"/g, '&quot;')
+                .replace(/'/g, '&#039;')
+                .replace(/</g, '&lt;')
+                .replace(/>/g, '&gt;');
             $.bcUtil.hideMessage();
             $("#BcSystemMessage")
                 .removeClass('notice-messge alert-message')

diff --git a/plugins/bc-admin-third/webroot/bc_favorite/js/admin/favorites/main.bundle.js.map b/plugins/bc-admin-third/webroot/bc_favorite/js/admin/favorites/main.bundle.js.map
diff --git a/plugins/bc-admin-third/webroot/js/admin/common.bundle.js b/plugins/bc-admin-third/webroot/js/admin/common.bundle.js
diff --git a/plugins/bc-admin-third/webroot/js/admin/common.bundle.js.map b/plugins/bc-admin-third/webroot/js/admin/common.bundle.js.map