silverstripe-subsites/code/model/SubsiteDomain.php
Elliot Sawyer 205754854c Sanitise domain name field to prevent XSS attack on the CMS
PWC identified an issue with the subsites module that would allow someone with authenticated access to attack other CMS users, such as "stealing the session ID and hijacking an authenticated user's session".
I can't imagine a case where HTML would ever be allowed in the subdomain of a website, so it's a good practice to strip it out anyway.

Steps to reproduce the original issue:
1. Enter a subsite name and mark as the default site.
2. Add a new domain named <script>alert(2)</script> and mark it as primary
3. Switch to the new subsite.
4. Make a new Page. This will execute a javascript alert containing "2".

MINOR update documentation for onBeforeWrite()
MINOR add @property attributes into docblock
2014-07-16 15:43:05 +12:00

82 lines
1.6 KiB
PHP

<?php
/**
* @property text Domain domain name of this subsite. Do not include the URL scheme here
* @property bool IsPrimary Is this the primary subdomain?
*/
class SubsiteDomain extends DataObject {
/**
*
* @var array
*/
private static $db = array(
"Domain" => "Varchar(255)",
"IsPrimary" => "Boolean",
);
/**
*
* @var array
*/
private static $has_one = array(
"Subsite" => "Subsite",
);
/**
*
* @var array
*/
private static $summary_fields=array(
'Domain',
'IsPrimary',
);
/**
* Whenever a Subsite Domain is written, rewrite the hostmap
*
* @return void
*/
public function onAfterWrite() {
Subsite::writeHostMap();
}
/**
*
* @return \FieldList
*/
public function getCMSFields() {
$fields = new FieldList(
new TextField('Domain', $this->fieldLabel('Domain'), null, 255),
new CheckboxField('IsPrimary', $this->fieldLabel('IsPrimary'))
);
$this->extend('updateCMSFields', $fields);
return $fields;
}
/**
*
* @param bool $includerelations
* @return array
*/
public function fieldLabels($includerelations = true) {
$labels = parent::fieldLabels($includerelations);
$labels['Domain'] = _t('SubsiteDomain.DOMAIN', 'Domain');
$labels['IsPrimary'] = _t('SubsiteDomain.IS_PRIMARY', 'Is Primary Domain');
return $labels;
}
/**
* Before writing the Subsite Domain, strip out any HTML the user has entered.
* @return void
*/
public function onBeforeWrite() {
parent::onBeforeWrite();
//strip out any HTML to avoid XSS attacks
$this->Domain = Convert::html2raw($this->Domain);
}
}