Fix RVE-2023-1 editor module XSS

2026-01-07 02:31:40 +09:00 · 2023-07-05 01:34:48 +09:00 · 2023-07-05 01:34:48 +09:00 · ed7a0bd4e2
commit ed7a0bd4e2
parent 103f5ce884
2 changed files with 7 additions and 9 deletions
--- a/modules/editor/editor.model.php
+++ b/modules/editor/editor.model.php
@ -208,11 +208,11 @@ class editorModel extends editor
 		// Load editor components.
 		if($option->enable_component)
 		{
-			if(!Context::get('component_list'))
+			Context::set('component_list', self::getComponentList(true));
-			{
+		}
-				$component_list = self::getComponentList(true);
+		else
-				Context::set('component_list', $component_list);
+		{
-			}
+			Context::set('component_list', []);
 		}
 		Context::set('enable_component', $option->enable_component ? true : false);
 		Context::set('enable_default_component', $option->enable_default_component ? true : false);
--- a/modules/editor/skins/ckeditor/editor.html
+++ b/modules/editor/skins/ckeditor/editor.html
@ -143,11 +143,9 @@ var auto_saved_msg = "{$lang->msg_auto_saved}";
 		<!--@if($enable_component)-->
 			{@ $xe_component = array(); }
 			<!--@foreach($component_list as $component_name => $component)-->
-				{@ $xe_component[] = $component_name . ":'" . htmlentities($component->title, ENT_QUOTES, 'UTF-8') . "'"; }
+				{@ $xe_component[$component_name] = escape($component->title, false)}
 			<!--@endforeach-->
-			{@ $xe_component = implode(',', $xe_component); }
+			settings.ckeconfig.xe_component_arrays = {json_encode($xe_component)};
 			settings.ckeconfig.xe_component_arrays = {{$xe_component}};
 		<!--@else-->
 			settings.ckeconfig.xe_component_arrays = {};
 		<!--@endif-->