deploy: 32e9fbc

FriendsOfREDAXO · Feb 11, 2025 · 0f7ac39 · 0f7ac39
1 parent 4369909
commit 0f7ac39
Show file tree

Hide file tree

Showing 7 changed files with 182 additions and 124 deletions.
diff --git a/classes/rex-article.html b/classes/rex-article.html
diff --git a/classes/rex-category.html b/classes/rex-category.html
diff --git a/classes/rex-structure-element.html b/classes/rex-structure-element.html
diff --git a/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt b/files/redaxo-main/redaxo/src/addons/mediapool/lib/service_media.php.txt
@@ -1,6 +1,6 @@
 <?php
 
-use voku\helper\AntiXSS;
+use enshrined\svgSanitize\Sanitizer;
 
 /**
  * @package redaxo\mediapool
@@ -389,14 +389,7 @@ final class rex_media_service
 
         $content = rex_type::notNull(rex_file::get($path));
 
-        $antiXss = new AntiXSS();
-        $antiXss->removeNeverAllowedRegex(['&lt;!--', '&lt;!--$1--&gt;']);
-        $antiXss->removeEvilAttributes(['style', 'xlink:href']);
-        $antiXss->removeEvilHtmlTags(['style', 'svg', 'title']);
-
-        $content = $antiXss->xss_clean($content);
-        $content = preg_replace('/^\s*&lt;\?xml(.*?)\?&gt;/', '<?xml$1?>', $content);
-        $content = preg_replace('/&lt;!DOCTYPE(.*?)>/', '<!DOCTYPE$1>', $content);
+        $content = (new Sanitizer())->sanitize($content);
 
         rex_file::put($path, $content);
     }

diff --git a/files/redaxo-main/redaxo/src/addons/structure/lib/structure_element.php.txt b/files/redaxo-main/redaxo/src/addons/structure/lib/structure_element.php.txt
@@ -80,8 +80,8 @@ abstract class rex_structure_element
      * Returns Object Value.
      *
      * @param string $value
-     *
      * @return string|int|null
+     * @psalm-taint-source input
      */
     public function getValue($value)
     {
@@ -334,6 +334,7 @@ abstract class rex_structure_element
      * Returns the name of the article.
      *
      * @return string
+     * @psalm-taint-source input
      */
     public function getName()
     {

diff --git a/files/redaxo-main/redaxo/src/addons/structure/plugins/content/pages/content.php.txt b/files/redaxo-main/redaxo/src/addons/structure/plugins/content/pages/content.php.txt
@@ -72,7 +72,7 @@ $context = new rex_context([
 ]);
 
 // ----- Titel anzeigen
-echo rex_view::title(rex_i18n::msg('content') . ': ' . $OOArt->getName(), '');
+echo rex_view::title(rex_i18n::msg('content') . ': ' . rex_escape($OOArt->getName()), '');
 
 // ----- Languages
 echo rex_view::clangSwitchAsButtons($context);

diff --git a/files/redaxo-main/redaxo/src/core/boot.php.txt b/files/redaxo-main/redaxo/src/core/boot.php.txt
@@ -92,7 +92,7 @@ require_once rex_path::core('functions/function_rex_globals.php');
 require_once rex_path::core('functions/function_rex_other.php');
 
 // ----------------- VERSION
-rex::setProperty('version', '5.18.1');
+rex::setProperty('version', '5.18.2');
 
 $cacheFile = rex_path::coreCache('config.yml.cache');
 $configFile = rex_path::coreData('config.yml');