Unverified Commit d02b469e authored by GoT's avatar GoT Committed by GitHub
Browse files

Merge pull request from GHSA-mrq4-7ch7-2465

Properly escape smarty output for twig
parents ed8eb7ce d2807b05
...@@ -218,26 +218,25 @@ EOF; ...@@ -218,26 +218,25 @@ EOF;
throw new Exception('PrestaShopBundle\Twig\LayoutExtension cannot find the {$content} string in legacy layout template', 1); throw new Exception('PrestaShopBundle\Twig\LayoutExtension cannot find the {$content} string in legacy layout template', 1);
} }
$content = str_replace( $explodedLayout = explode('{$content}', $layout);
[ $header = explode('</head>', $explodedLayout[0]);
'{$content}', $footer = explode('</body>', $explodedLayout[1]);
'var currentIndex = \'index.php\';',
'</head>', return $this->escapeSmarty(str_replace('var currentIndex = \'index.php\';', 'var currentIndex = \'' . $this->context->getAdminLink($controllerName) . '\';', $header[0]))
'</body>', . '{% block stylesheets %}{% endblock %}{% block extra_stylesheets %}{% endblock %}</head>'
], . $this->escapeSmarty($header[1])
[ . '{% block content_header %}{% endblock %}'
'{% block content_header %}{% endblock %} . '{% block content %}{% endblock %}'
{% block content %}{% endblock %} . '{% block content_footer %}{% endblock %}'
{% block content_footer %}{% endblock %} . '{% block sidebar_right %}{% endblock %}'
{% block sidebar_right %}{% endblock %}', . $this->escapeSmarty($footer[0])
'var currentIndex = \'' . $this->context->getAdminLink($controllerName) . '\';', . '{% block javascripts %}{% endblock %}{% block extra_javascripts %}{% endblock %}{% block translate_javascripts %}{% endblock %}</body>'
'{% block stylesheets %}{% endblock %}{% block extra_stylesheets %}{% endblock %}</head>', . $this->escapeSmarty($footer[1]);
'{% block javascripts %}{% endblock %}{% block extra_javascripts %}{% endblock %}{% block translate_javascripts %}{% endblock %}</body>', }
],
$layout
);
return $content; private function escapeSmarty(string $template): string
{
return '{{ \'' . addslashes($template) . '\' | raw }}';
} }
/** /**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment