Always escape insecure content when rendering HTML

bobvandevijver · bobvandevijver · commit 295771a8f5f8 · 2024-04-10T21:44:13.000+02:00
diff --git a/Resources/doc/cookbook/modal-with-fields.md b/Resources/doc/cookbook/modal-with-fields.md
@@ -27,8 +27,8 @@ You can simply do it by adding modal with the field:
             </div>
           </div>
           <div class="modal-footer">
-            <button type="button" class="btn btn-default cancel" data-dismiss="modal">{{ 'action.custom.cancel'|trans({}, "Admingenerator")|raw }}</button>
-            <button type="submit" class="btn btn-primary confirm">{{ 'action.custom.confirm'|trans({}, "Admingenerator")|raw }}</button>
+            <button type="button" class="btn btn-default cancel" data-dismiss="modal">{{ 'action.custom.cancel'|trans({}, "Admingenerator") }}</button>
+            <button type="submit" class="btn btn-primary confirm">{{ 'action.custom.confirm'|trans({}, "Admingenerator") }}</button>
         </div>
         </form>
       </div>
diff --git a/Resources/views/flash.html.twig b/Resources/views/flash.html.twig
@@ -2,15 +2,15 @@
     <div class="alert alert-dismissable alert-success fade in">
         <i class="fa fa-check"></i>
         <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
-        {{ flashMessage|raw }}
+        {{ flashMessage }}
     </div>
 {% endblock %}
 
 {% block flash_message_error %}
     <div class="alert alert-dismissable alert-danger fade in">
         <i class="fa fa-ban"></i>
         <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button>
-        {{ flashMessage|raw }}
+        {{ flashMessage }}
     </div>
 {% endblock %}
 
diff --git a/Resources/views/templates/CommonAdmin/EditTemplate/fieldsets.php.twig b/Resources/views/templates/CommonAdmin/EditTemplate/fieldsets.php.twig
@@ -13,7 +13,7 @@
             {{ echo_block("form_fieldset_" ~ fieldsetName|classify|replace({'.': '_'})) }}
                 <fieldset class="form-model-tab-pane tab-pane-model-{{ fieldsetName|classify|replace({'.': '-'}) }} tab-pane">
                     {% if "NONE" != fieldsetName[:4] and "!" != fieldsetName[:1] %}
-                        <legend><span>{{ echo_trans(fieldsetName,{}, i18n_catalog|default("Admin") ) }}</span></legend>
+                        <legend><span>{{ echo_trans(fieldsetName,{}, i18n_catalog|default("Admin"), 'html' ) }}</span></legend>
                     {% endif %}
 
                     {% for rowName,row in fieldset %}
diff --git a/Resources/views/templates/CommonAdmin/ListTemplate/scopes.php.twig b/Resources/views/templates/CommonAdmin/ListTemplate/scopes.php.twig
@@ -11,7 +11,7 @@
                            "{ 'group': '" ~  (groupName|classify|lower) ~ "', 'scope': '" ~ (scopeName|classify|lower) ~ "' }") }}
                        ">
                         {%- if params.icon is defined %}<i class="fa {{ params.icon }}"></i> {% endif -%}
-                        {{- echo_trans(scopeName, {}, i18n_catalog|default("Admin")) -}}
+                        {{- echo_trans(scopeName, {}, i18n_catalog|default("Admin"), 'html') -}}
                     </a>
                     {% endfor %}
                 </div>
diff --git a/Resources/views/templates/CommonAdmin/ShowTemplate/show.php.twig b/Resources/views/templates/CommonAdmin/ShowTemplate/show.php.twig
@@ -13,7 +13,7 @@
 
                 <div class="show-model-tab-pane tab-pane-model-{{ fieldsetName|classify|replace({'.': '-'}) }} tab-pane">
                     {% if "NONE" != fieldsetName[:4] and "!" != fieldsetName[:1] %}
-                        <h2>{{ echo_trans(fieldsetName,{}, i18n_catalog is defined ? i18n_catalog : "Admin" ) }}</h2>
+                        <h2>{{ echo_trans(fieldsetName,{}, i18n_catalog is defined ? i18n_catalog : "Admin", 'html' ) }}</h2>
                     {% endif %}
 
                     {% for row in fieldset %}
diff --git a/Resources/views/templates/CommonAdmin/ShowTemplate/sidebar.php.twig b/Resources/views/templates/CommonAdmin/ShowTemplate/sidebar.php.twig
@@ -8,7 +8,7 @@
                 <div class="col-md-12 sidebar-widget-{{ name|classify|replace({'.': '-'})|lower }}">
                     <div class="box box-primary">
                         <div class="box-header">
-                            <h3 class="box-title">{{ echo_trans(name,{}, i18n_catalog|default("Admin") ) }}</h3>
+                            <h3 class="box-title">{{ echo_trans(name,{}, i18n_catalog|default("Admin"), 'html' ) }}</h3>
                         </div>
                         <div class="box-body">
                             {% if widget.partial is defined %}
diff --git a/Resources/views/templates/CommonAdmin/batch_actions.php.twig b/Resources/views/templates/CommonAdmin/batch_actions.php.twig
@@ -46,7 +46,7 @@
         {% endif -%}
         >
             {% if action.icon %}<i class="{% if action.icon is defined and action.icon|length > 0 %}fa {{ action.icon }}{% endif %}"></i> {% endif %}
-            {{ echo_trans(action.label, {}, translationDomain) }}
+            {{ echo_trans(action.label, {}, translationDomain, 'html') }}
     </option>
 {% endblock %}
 
diff --git a/Resources/views/templates/CommonAdmin/generic_actions.php.twig b/Resources/views/templates/CommonAdmin/generic_actions.php.twig
@@ -52,7 +52,7 @@
                                    data-toggle="modal"
           {% endif %}
             >
-          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain) }}
+          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain, 'html') }}
         </button>
     {% else %}
         <a class="generic-action btn {{ action.class|default('btn-default') }}" href="{{ echo_path(actionRoute, actionParams) }}"
@@ -61,7 +61,7 @@
                                    data-toggle="modal"
           {% endif %}
           {%- if action.csrfProtected %} data-csrf-token="{{ echo_path(actionRoute, actionParams, ['csrf_token']) }}" {% endif -%}>
-          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain) }}
+          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain, 'html') }}
         </a>
     {% endif %}
 {% endblock %}
@@ -80,7 +80,7 @@
               <li><a class="generic-action btn {{ action.class|default('btn-default') }}" href="{{ echo_path(actionRoute, actionParams) }}"
           {%- if action.confirm %} data-confirm="{{ echo_trans(action.confirm, {}, translationDomain, 'html_attr') }}"{% endif %}
           {%- if action.csrfProtected %} data-csrf-token="{{ echo_path(actionRoute, actionParams, ['csrf_token']) }}" {% endif -%}>
-          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain) }}</a></li>
+          {%- if action.icon %}<i class="fa fa-fw {{ action.icon|default }}"></i> {% endif %}{{ echo_trans(action.label, {}, translationDomain, 'html') }}</a></li>
     
     {% for keyName, eaction in excelActions %}
 
@@ -90,7 +90,7 @@
 
         <li><a class="generic-action btn {{ eaction.class|default('btn-default') }}" href="{{ echo_path(actionRoute, echo_twig_assoc({ key: keyName })) }}"
           {%- if action.confirm %} data-confirm="{{ echo_trans(action.confirm, {}, translationDomain, 'html_attr') }}"{% endif -%}>
-          {%- if eaction.icon %}<i class="fa fa-fw {{ eaction.icon|default }}"></i> {% endif %}{{ echo_trans(eaction.label, {}, translationDomain) }}
+          {%- if eaction.icon %}<i class="fa fa-fw {{ eaction.icon|default }}"></i> {% endif %}{{ echo_trans(eaction.label, {}, translationDomain, 'html') }}
         </a></li>
 
       {% if eaction.credentials %}
diff --git a/Resources/views/templates/CommonAdmin/object_actions.php.twig b/Resources/views/templates/CommonAdmin/object_actions.php.twig
@@ -45,7 +45,7 @@
                 {% endif -%}
                 {%- if action.csrfProtected and not action.forceIntermediate %} data-csrf-token="{{ echo_path(actionRoute, actionParams, ['csrf_token']) }}" {% endif -%}>
             <i class="fa fa-fw {{ action.icon|default('fa-square fa-regular') }}"></i>
-            <span>{{ echo_trans(action.label, {}, translationDomain) }}</span>
+            <span>{{ echo_trans(action.label, {}, translationDomain, 'html') }}</span>
         </a>
         {{ echo_endspaceless() }}
     {% endapply %}
diff --git a/Resources/views/templates/CommonAdmin/tabs.php.twig b/Resources/views/templates/CommonAdmin/tabs.php.twig
@@ -20,7 +20,7 @@
                                 <li>
                                     <a data-toggle="tab" href="#"
                                        data-target="{%- for fieldsetName,fieldset in tab -%}{{ '.tab-pane-model-'~fieldsetName|classify|replace({'.': '-'}) }}{%if not loop.last%},{% endif %}{% endfor %}">
-                                        {{ echo_trans(name, {}, i18n_catalog|default("Admin") ) }}
+                                        {{ echo_trans(name, {}, i18n_catalog|default("Admin"), 'html' ) }}
                                     </a>
                                 </li>
                             {% if tabCredentials is not empty %}
diff --git a/Resources/views/templates/CommonAdmin/title.php.twig b/Resources/views/templates/CommonAdmin/title.php.twig
@@ -1,11 +1,11 @@
 {% block page_title %}
     {{ echo_block("page_header_content") }}
-        <h1>{% if title|default is not empty %}{{ echo_trans(title, {}, i18n_catalog|default("Admin") ) }}{% endif %}</h1>
+        <h1>{% if title|default is not empty %}{{ echo_trans(title, {}, i18n_catalog|default("Admin"), 'html' ) }}{% endif %}</h1>
     {{ echo_endblock() }}
 {% endblock %}
 
 {% block site_title %}
     {{ echo_block("title") }}
-        {{ echo_twig('parent()') }} - {% if title|default is not empty %}{{ echo_trans(title, {}, i18n_catalog|default("Admin") ) }}{% endif %}
+        {{ echo_twig('parent()') }} - {% if title|default is not empty %}{{ echo_trans(title, {}, i18n_catalog|default("Admin"), 'html' ) }}{% endif %}
     {{ echo_endblock() }}
 {% endblock %}

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@`
`46`	`46`	`{% endif -%}`
`47`	`47`	`>`
`48`	`48`	`{% if action.icon %}<i class="{% if action.icon is defined and action.icon\|length > 0 %}fa {{ action.icon }}{% endif %}"></i> {% endif %}`
`49`		`- {{ echo_trans(action.label, {}, translationDomain) }}`
	`49`	`+ {{ echo_trans(action.label, {}, translationDomain, 'html') }}`
`50`	`50`	`</option>`
`51`	`51`	`{% endblock %}`
`52`	`52`