Merge branch '3.4-release'

bundle/Controller/Admin/FieldController.php

@@ -12,7 +12,11 @@
 use function array_keys;
 use function array_values;
 use function count;
+use function htmlspecialchars;
 use function in_array;
+use const ENT_HTML401;
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
 
 final class FieldController extends Controller
 {
@@ -99,8 +103,8 @@ private function filterTags(TagList $tags, int $subTreeLimit, bool $hideRootTag)
 
             $data[] = [
                 'parent_id' => $tag->parentTagId,
-                'parent_name' => count($parentTagKeywords) > 0 ? array_values($parentTagKeywords)[0] : '',
-                'name' => array_values($tagKeywords)[0],
+                'parent_name' => count($parentTagKeywords) > 0 ? $this->escape(array_values($parentTagKeywords)[0]) : '',
+                'name' => $this->escape(array_values($tagKeywords)[0]),
                 'id' => $tag->id,
                 'main_tag_id' => $tag->mainTagId,
                 'locale' => array_keys($tagKeywords)[0],
@@ -109,4 +113,9 @@ private function filterTags(TagList $tags, int $subTreeLimit, bool $hideRootTag)
 
         return $data;
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }

bundle/Controller/Admin/TreeController.php

@@ -10,7 +10,11 @@
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
+use function htmlspecialchars;
 use function str_replace;
+use const ENT_HTML401;
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
 
 final class TreeController extends Controller
 {
@@ -148,7 +152,7 @@ private function getTagTreeData(Tag $tag, bool $isRoot = false): array
         return [
             'id' => $tag->id,
             'parent' => $isRoot ? '#' : $tag->parentTagId,
-            'text' => $synonymCount > 0 ? $tag->keyword . ' (+' . $synonymCount . ')' : $tag->keyword,
+            'text' => $synonymCount > 0 ? $this->escape($tag->keyword) . ' (+' . $synonymCount . ')' : $this->escape($tag->keyword),
             'children' => $this->tagsService->getTagChildrenCount($tag) > 0,
             'a_attr' => [
                 'href' => str_replace(':tagId', (string) $tag->id, $this->treeLinks['show_tag']),
@@ -193,4 +197,9 @@ private function getTagTreeData(Tag $tag, bool $isRoot = false): array
             ],
         ];
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }

bundle/Form/Type/FieldType/FieldValueTransformer.php

@@ -11,7 +11,11 @@
 use function array_key_exists;
 use function count;
 use function explode;
+use function htmlspecialchars;
 use function implode;
+use const ENT_HTML401;
+use const ENT_QUOTES;
+use const ENT_SUBSTITUTE;
 
 final class FieldValueTransformer implements DataTransformerInterface
 {
@@ -51,7 +55,7 @@ public function transform($value): ?array
 
             $ids[] = $tag->id;
             $parentIds[] = $tag->parentTagId;
-            $keywords[] = $tagKeyword ?? $mainKeyword;
+            $keywords[] = $this->escape($tagKeyword ?? $mainKeyword);
             $locales[] = $tagKeyword !== null ? $this->field->languageCode : $tag->mainLanguageCode;
         }
 
@@ -91,11 +95,16 @@ public function reverseTransform($value): Value
 
             $hash[] = [
                 'parent_id' => (int) $parentIds[$i],
-                'keywords' => [$locales[$i] => $keywords[$i]],
+                'keywords' => [$locales[$i] => $this->escape($keywords[$i])],
                 'main_language_code' => $locales[$i],
             ];
         }
 
         return $this->fieldType->fromHash($hash);
     }
+
+    private function escape($string): string
+    {
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8');
+    }
 }