search

EasyCorp / EasyAdminBundle

EasyAdmin is a fast, beautiful and modern admin generator for Symfony applications.
MIT License
3.99k stars 1.01k forks source link

Fix XSS when using setFormatValue($callable) #6255

Open allan-simon opened 1 month ago

allan-simon commented 1 month ago

instead if people do need it we force them do to

->setStripTag(true) before

Example to reproduce create two entities Comment and Author in the Comment crud controller do the following

        yield AssociationField::new('author', 'Author of the comment')
            ->formatValue(function ($value, Author $author) {
                 return $author->getName();
            });

if the author's name contains <script>alert("coucou")</script> it will inject a XSS in the admin

instead with this PR you will be required to do 

        yield AssociationField::new('author', 'Author of the comment')
           ->stripTag(false)
            ->formatValue(function ($value, Author $author) {
                 return $author->getName();
            });

if you want to intentionnaly disable it

allan-simon commented 4 weeks ago

here I really think it's a bug , because TextField::setFormatValue is safe by default , while associationField::setFormatValue is not

allan-simon commented 4 weeks ago

@javiereguiluz do you agree with me here (so that I know if it's worth it to fix the PR )