Protect blocking routes from XSS attacks

oveleon · Dec 1, 2021 · 812eb0f · 812eb0f
1 parent 9c83e45
commit 812eb0f
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/src/Controller/CookiebarController.php b/src/Controller/CookiebarController.php
@@ -12,6 +12,7 @@
 
 use Contao\FrontendTemplate;
 use Contao\System;
+use Contao\Validator;
 use Oveleon\ContaoCookiebar\Cookiebar;
 use Oveleon\ContaoCookiebar\CookieModel;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -44,9 +45,10 @@ public function __construct(ContaoFramework $framework)
      * @Route("/cookiebar/block/{locale}/{id}", name="cookiebar_block")
      *
      * @param Request $request
-     * @param $id
+     * @param         $id
      *
      * @return Response
+     * @throws \Exception
      */
     public function blockAction(Request $request, $locale, $id)
     {
@@ -61,6 +63,14 @@ public function blockAction(Request $request, $locale, $id)
             return new Response('');
         }
 
+        $strUrl = $request->get('redirect');
+
+        // Protect against XSS attacks
+        if(!Validator::isUrl($strUrl))
+        {
+            throw new \Exception('The redirect destination must be a valid URL.');
+        }
+
         /** @var FrontendTemplate $objTemplate */
         $objTemplate = new FrontendTemplate($objCookie->blockTemplate ?: 'ccb_element_blocker');
 
@@ -71,7 +81,6 @@ public function blockAction(Request $request, $locale, $id)
         $objTemplate->iframeType = $objCookie->iframeType;
         $objTemplate->description = $objCookie->blockDescription;
         $objTemplate->redirect = $request->get('redirect');
-
         $objTemplate->acceptAndDisplayLabel = $GLOBALS['TL_LANG']['tl_cookiebar']['acceptAndDisplayLabel'];
 
         return $objTemplate->getResponse();