security #cve- Change the default title of detail page to avoid XSS i…

…ssues (javiereguiluz)

This PR was squashed before being merged into the 4.x branch.

UPGRADE.md

@@ -1,6 +1,39 @@
 Upgrade between EasyAdmin 4.x versions
 ======================================
 
+EasyAdmin 4.10.0
+----------------
+
+### Updated the Default Title of Detail Page
+
+The default title of the `detail` page in previous versions was `%entity_as_string%`
+which is a placeholder that refers to the value returned by the `__toString()`
+method of the entity.
+
+This can potentially result in a XSS vulnerability because page titles and other
+elements are rendered with the `raw` Twig filter (to allow you to customize the
+contents with HTML tags).
+
+Starting from EasyAdmin 4.10.0, the default page title is `%entity_label_singular% <small>(#%entity_short_id%)</small>`,
+which only contains safe items that will never result in a XSS issue. If you
+want to keep the previous page title (because you don't include user-generated
+contents in `__toString()` or because you sanitize all user-submitted data) you
+can add the following to your dashboard and all your CRUD controllers will use
+that page title:
+
+    class DashboardController extends AbstractDashboardController
+    {
+        // ...
+
+        public function configureCrud(Crud $crud): Crud
+        {
+            return $crud
+                // ...
+                ->setPageTitle('detail', '%entity_as_string%')
+            ;
+        }
+    }
+
 EasyAdmin 4.8.0
 ---------------
 

doc/crud.rst

@@ -176,18 +176,17 @@ You can override the default page titles with the following methods::
     }
 
 EasyAdmin applies the ``raw`` filter to all titles, labels, help messages, etc.
-displayed in templates. This allows you to customize everything with HTML tags
-because they are rendered instead of escaped.
-
-This is generally safe because you are in charge of writing those contents yourself.
-However, in pages like the ``detail`` page, the default title is the string
-representation of the entity (which is the value returned by the ``__toString()``
-method). If you include user-generated contents in that value, your backend (and
-your application in general) will be vulnerable to `XSS attacks`_.
-
-If the string representation of your entity must include those user-generated values,
-make sure to sanitize those contents before storing them in the database. You can
-use the `HtmlSanitizer component`_ from Symfony to do that.
+displayed in templates. This is done to allow you to customize everything with
+HTML tags (because those tags will be rendered instead of escaped).
+
+That's why the default page titles used by EasyAdmin only include safe contents
+like the entity name and ID. Otherwise, your backend could be vulnerable to
+`XSS attacks`_.
+
+If you change the default page title to include the placeholder ``%entity_as_string%``,
+check that you don't include user-created contents in the value returned by the
+``__toString()`` method of the related entity. If you can't avoid that, make sure
+to sanitize any user submitted data with the Symfony `HtmlSanitizer component`_.
 
 .. _crud-date-time-number-format-options:
 

src/Resources/translations/EasyAdminBundle.ar.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'لوحة التحكم',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% تعديل',
         'index' => '%entity_label_plural%',
         'new' => '"%entity_label_singular%" جديد',

src/Resources/translations/EasyAdminBundle.bg.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Табло',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Редактиране на %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Създаване на %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.ca.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Tauler de control',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Modificar %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Crear %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.cs.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Úvod',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Editovat %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Vytvořit %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.da.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Dashboard',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Ret %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Opret %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.de.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Dashboard',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% bearbeiten',
         'index' => '%entity_label_plural%',
         'new' => '%entity_label_singular% erstellen',

src/Resources/translations/EasyAdminBundle.el.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Πίνακας ελέγχου',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Επεξεργασία %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Δημιουργία %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.en.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Dashboard',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Edit %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Create %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.es.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Inicio',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Modificar %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Crear %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.eu.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Hasiera',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% aldatu',
         'index' => '%entity_label_plural%',
         'new' => '%entity_label_singular%-a sortu',

src/Resources/translations/EasyAdminBundle.fa.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'داشبورد',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'ویرایش %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'ایجاد %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.fi.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Muokkaa %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Luo uusi %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.fr.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Tableau de bord',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Modifier %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Créer "%entity_label_singular%"',

src/Resources/translations/EasyAdminBundle.gl.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Modificar %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Crear %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.he.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'לוח בקרה',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'עריכת %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'יצירת %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.hr.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Uredi %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Izradi %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.hu.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Vezérlőpult',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% szerkesztése',
         'index' => '%entity_label_plural%',
         'new' => 'Új %entity_label_singular% létrehozása',

src/Resources/translations/EasyAdminBundle.hy.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Վահանակ',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Ստեղծել նոր %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.id.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Dasbor',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Sunting %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Buat %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.it.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Modifica %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Crea %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.lb.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Tableau de bord',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% beaarbechten',
         'index' => '%entity_label_plural%',
         'new' => '%entity_label_singular% erstellen',

src/Resources/translations/EasyAdminBundle.lt.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Skydelis',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Redaguoti %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Sukurti %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.mk.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Контролна табла',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Уреди %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Креирај %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.nl.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Dashboard',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Maak nieuw(e) %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.no.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Forsiden',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Rediger %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Opprett %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.pl.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Dodaj nowy %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.pt.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Painel de Controlo',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Editar %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Criar %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.pt_BR.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Painel de Controle',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Editar %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Adicionar %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.ro.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Tablou de bord',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Editează %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Creează %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.ru.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Дашборд',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Создать новый %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.sk.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Úvod',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Upraviť %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Vytvoriť %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.sl.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Nadzorna plošča',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Dodaj %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.sr_RS.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Kontrolna tabla',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => 'Izmena %entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Novi %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.sv.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         // 'dashboard' => '',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Create new %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.tr.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Kontrol Paneli',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular% Düzenle',
         'index' => '%entity_label_plural%',
         'new' => 'Oluştur : %entity_label_singular%',

src/Resources/translations/EasyAdminBundle.uk.php

@@ -3,7 +3,7 @@
 return [
     'page_title' => [
         'dashboard' => 'Дешборд',
-        'detail' => '%entity_as_string%',
+        'detail' => '%entity_label_singular% <small>(#%entity_short_id%)</small>',
         'edit' => '%entity_label_singular%',
         'index' => '%entity_label_plural%',
         'new' => 'Створити новий %entity_label_singular%',