From 205754854c96b51584fcb20626f986e735b43ec0 Mon Sep 17 00:00:00 2001 From: Elliot Sawyer Date: Mon, 14 Jul 2014 17:17:44 +1200 Subject: [PATCH] Sanitise domain name field to prevent XSS attack on the CMS PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session". I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway. Steps to reproduce the original issue: 1. Enter a subsite name and mark as the default site. 2. Add a new domain named and mark it as primary 3. Switch to the new subsite. 4. Make a new Page. This will execute a javascript alert containing "2". MINOR update documentation for onBeforeWrite() MINOR add @property attributes into docblock --- code/model/SubsiteDomain.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/code/model/SubsiteDomain.php b/code/model/SubsiteDomain.php index aabd72a..b6af634 100644 --- a/code/model/SubsiteDomain.php +++ b/code/model/SubsiteDomain.php @@ -1,5 +1,9 @@ fieldLabel('Domain'), null, 255), new CheckboxField('IsPrimary', $this->fieldLabel('IsPrimary')) ); + $this->extend('updateCMSFields', $fields); return $fields; } @@ -62,4 +67,15 @@ class SubsiteDomain extends DataObject { return $labels; } + + /** + * Before writing the Subsite Domain, strip out any HTML the user has entered. + * @return void + */ + public function onBeforeWrite() { + parent::onBeforeWrite(); + + //strip out any HTML to avoid XSS attacks + $this->Domain = Convert::html2raw($this->Domain); + } }