From f7d209264668d2f0e3d87fe1b26c1d996a788828 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Tue, 12 May 2020 15:07:32 +1000 Subject: [PATCH] security/core#74 Prevent CSRF in CKEditor Config screen by switching to using Quickform built form --- CRM/Admin/{Page => Form}/CKEditorConfig.php | 13 ++++--------- CRM/Core/Resources.php | 4 ++-- CRM/Core/xml/Menu/Admin.xml | 2 +- js/wysiwyg/admin.ckeditor-configurator.js | 4 ++-- .../CRM/Admin/{Page => Form}/CKEditorConfig.tpl | 0 5 files changed, 9 insertions(+), 14 deletions(-) rename CRM/Admin/{Page => Form}/CKEditorConfig.php (95%) rename templates/CRM/Admin/{Page => Form}/CKEditorConfig.tpl (100%) diff --git a/CRM/Admin/Page/CKEditorConfig.php b/CRM/Admin/Form/CKEditorConfig.php similarity index 95% rename from CRM/Admin/Page/CKEditorConfig.php rename to CRM/Admin/Form/CKEditorConfig.php index fb42b9e7b5..92180dbb4c 100644 --- a/CRM/Admin/Page/CKEditorConfig.php +++ b/CRM/Admin/Form/CKEditorConfig.php @@ -16,13 +16,9 @@ */ /** - * Page for configuring CKEditor options. - * - * Note that while this is implemented as a CRM_Core_Page, it is actually a form. - * Because the form needs to be submitted and refreshed via javascript, it seemed like - * Quickform and CRM_Core_Form/Controller might get in the way. + * Form for configuring CKEditor options. */ -class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page { +class CRM_Admin_Form_CKEditorConfig extends CRM_Core_Form { const CONFIG_FILEPATH = '[civicrm.files]/persist/crm-ckeditor-'; @@ -52,9 +48,8 @@ class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page { * * @return string */ - public function run() { + public function preProcess() { $this->preset = CRM_Utils_Array::value('preset', $_REQUEST, 'default'); - // If the form was submitted, take appropriate action. if (!empty($_POST['revert'])) { self::deleteConfigFile($this->preset); @@ -97,7 +92,7 @@ class CRM_Admin_Page_CKEditorConfig extends CRM_Core_Page { ], ]); - return parent::run(); + return parent::preProcess(); } /** diff --git a/CRM/Core/Resources.php b/CRM/Core/Resources.php index 40dd3b0978..0fdc57cf21 100644 --- a/CRM/Core/Resources.php +++ b/CRM/Core/Resources.php @@ -760,11 +760,11 @@ class CRM_Core_Resources { // add wysiwyg editor $editor = Civi::settings()->get('editor_id'); if ($editor == "CKEditor") { - CRM_Admin_Page_CKEditorConfig::setConfigDefault(); + CRM_Admin_Form_CKEditorConfig::setConfigDefault(); $items[] = [ 'config' => [ 'wysisygScriptLocation' => Civi::paths()->getUrl("[civicrm.root]/js/wysiwyg/crm.ckeditor.js"), - 'CKEditorCustomConfig' => CRM_Admin_Page_CKEditorConfig::getConfigUrl(), + 'CKEditorCustomConfig' => CRM_Admin_Form_CKEditorConfig::getConfigUrl(), ], ]; } diff --git a/CRM/Core/xml/Menu/Admin.xml b/CRM/Core/xml/Menu/Admin.xml index acf56251f1..20b52451cc 100644 --- a/CRM/Core/xml/Menu/Admin.xml +++ b/CRM/Core/xml/Menu/Admin.xml @@ -670,7 +670,7 @@ civicrm/admin/ckeditor Configure CKEditor - CRM_Admin_Page_CKEditorConfig + CRM_Admin_Form_CKEditorConfig administer CiviCRM diff --git a/js/wysiwyg/admin.ckeditor-configurator.js b/js/wysiwyg/admin.ckeditor-configurator.js index 6c44806754..00d1372e6a 100644 --- a/js/wysiwyg/admin.ckeditor-configurator.js +++ b/js/wysiwyg/admin.ckeditor-configurator.js @@ -109,7 +109,7 @@ var selectorOpen = false, changedWhileOpen = false; - $('#toolbarModifierForm') + $('#CKEditorConfig') .on('submit', function(e) { $('.toolbar button:last', '#toolbarModifierWrapper')[0].click(); $('.configContainer textarea', '#toolbarModifierWrapper').attr('name', 'config'); @@ -117,7 +117,7 @@ .on('change', '.config-param', function(e) { changedWhileOpen = true; if (!selectorOpen) { - $('#toolbarModifierForm').submit().block(); + $('#CKEditorConfig').submit().block(); } }) .on('change', 'input.crm-config-option-name', changeOptionName) diff --git a/templates/CRM/Admin/Page/CKEditorConfig.tpl b/templates/CRM/Admin/Form/CKEditorConfig.tpl similarity index 100% rename from templates/CRM/Admin/Page/CKEditorConfig.tpl rename to templates/CRM/Admin/Form/CKEditorConfig.tpl -- 2.25.1