Skip to content

Security fixes / Preview fix #455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
skerbis merged 5 commits into from
Jan 29, 2026
Merged

Security fixes / Preview fix #455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bbf5316
security fixes and theme preview
skerbis Jan 29, 2026
d62d3ac
securit fix replace
skerbis Jan 29, 2026
5af46c9
Update CHANGELOG.md
skerbis Jan 29, 2026
a998346
5.3.3
skerbis Jan 29, 2026
229bf99
namespace guide entfernt
skerbis Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# REDAXO consent_manager - Changelog

## Version 5.3.3 - 29.01.2026

- **Fix:** JSON Parsing Fehler im Frontend behoben (`double-escaping` von HTML-Attributen entfernt), was zu Fehlern beim Laden der Cookie-Gruppen führte (`safeJSONParse failed`).

- **Fix:** Fehler beim Laden von Framework-Templates behoben (`Call to undefined method rex_fragment::subparse()`).
- **Security:** XSS-Schwachstelle in `consent_manager_outputjs` behoben (Input-Sanitizing für `cid` und `v` Parameter).
- **Security:** Schutz vor Host-Header Injection im Frontend-Output.
- **Fix:** JavaScript Syntax-Fehler durch verbessertes Template-Escaping behoben (`json_encode` statt string replace).
- **Fix:** Google Consent Mode v2 Script auf ES5 Syntax aktualisiert (SyntaxError Fix für ältere Umgebungen).

## Version 5.3.0 - 28.01.2026

**🚀 Release-Highlights:**
Expand Down
100 changes: 0 additions & 100 deletions Namespace-Guide.md
View file
Open in desktop

This file was deleted.

Empty file added assets/consent_cookie_helper.js
View file
Open in desktop
Empty file.
2 changes: 1 addition & 1 deletion fragments/ConsentManager/box.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
// Check for CSS Framework Mode
$cssFrameworkMode = rex_addon::get('consent_manager')->getConfig('css_framework_mode');
if ($cssFrameworkMode) {
echo $this->subparse('ConsentManager/box_' . $cssFrameworkMode . '.php');
echo $this->parse('ConsentManager/box_' . $cssFrameworkMode . '.php');
return;
}

Expand Down
27 changes: 10 additions & 17 deletions lib/Frontend.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,17 +259,20 @@ public function outputJavascript(): never
/** @phpstan-ignore-next-line */
$boxtemplate = sprogdown($boxtemplate, $clang);
}
$boxtemplate = str_replace("'", "\\'", $boxtemplate);
$boxtemplate = str_replace("\r", '', $boxtemplate);
$boxtemplate = str_replace("\n", ' ', $boxtemplate);
Comment on lines 262 to 263
Copy link

Copilot AI Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The newline and carriage return replacements (lines 262-263) are now redundant since json_encode will properly handle these characters. The getJS() method correctly removed these lines, but outputJavascript() still includes them. While not harmful, these lines should be removed for consistency with the getJS() method and to avoid unnecessary processing since json_encode already handles newlines correctly.

Suggested change
$boxtemplate = str_replace("\r", '', $boxtemplate);
$boxtemplate = str_replace("\n", ' ', $boxtemplate);

Copilot uses AI. Check for mistakes.

echo '/* --- Parameters --- */' . PHP_EOL;
// Sanitize input parameters to prevent XSS
$cacheLogId = preg_replace('/[^a-zA-Z0-9_\-]/', '', rex_request::get('cid', 'string', ''));
$version = preg_replace('/[^0-9.]/', '', rex_request::get('v', 'string', ''));

$consent_manager_parameters = [
'initially_hidden' => 'true' === rex_request::get('i', 'string', 'false'),
'domain' => Utility::hostname(),
'consentid' => uniqid('', true),
'cachelogid' => rex_request::get('cid', 'string', ''),
'version' => rex_request::get('v', 'string', ''),
'cachelogid' => $cacheLogId,
'version' => $version,
'fe_controller' => rex_url::frontend(),
'forcereload' => rex_request::get('r', 'int', 0),
'hidebodyscrollbar' => 'true' === rex_request::get('h', 'string', 'false'),
Expand All @@ -278,12 +281,9 @@ public function outputJavascript(): never
'cookieSecure' => (bool) $addon->getConfig('cookie_secure', false),
'cookieName' => $addon->getConfig('cookie_name', 'consentmanager'),
];
echo 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES) . ';' . PHP_EOL . PHP_EOL;
echo 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;
echo '/* --- Consent-Manager Box Template lang=' . $clang . ' --- */' . PHP_EOL;
echo 'var consent_manager_box_template = \'';
// REXSTAN: meldet «Binary operation "." between array<string>|string and '\';' results in an error.»
// Das ist definitiv falsch und eine Fehlinterpretation wegen obigem «$boxtemplate = str_replace(...»
echo $boxtemplate . '\';' . PHP_EOL . PHP_EOL;
echo 'var consent_manager_box_template = ' . json_encode($boxtemplate, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;

$lifespan = $addon->getConfig('lifespan', 365);
if ('' === $lifespan) {
Expand Down Expand Up @@ -454,11 +454,6 @@ public static function getJS(): string
$boxtemplate = is_string($sprogResult) ? $sprogResult : $boxtemplate;
}

// Escape for JavaScript
$boxtemplate = str_replace("'", "\\'", $boxtemplate);
$boxtemplate = str_replace("\r", '', $boxtemplate);
$boxtemplate = str_replace("\n", ' ', $boxtemplate);

$output = '';

// Parameters
Expand All @@ -477,13 +472,11 @@ public static function getJS(): string
'cookieSecure' => (bool) $addon->getConfig('cookie_secure', false),
'cookieName' => $addon->getConfig('cookie_name', 'consentmanager'),
];
$output .= 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES) . ';' . PHP_EOL . PHP_EOL;
$output .= 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;

// Box template
$output .= '/* --- Consent-Manager Box Template lang=' . $clang . ' --- */' . PHP_EOL;
$output .= 'var consent_manager_box_template = \'';
// $boxtemplate is guaranteed to be string after above checks
$output .= $boxtemplate . '\';' . PHP_EOL . PHP_EOL;
$output .= 'var consent_manager_box_template = ' . json_encode($boxtemplate, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;

// Cookie expiration
$lifespan = $addon->getConfig('lifespan', 365);
Expand Down
2 changes: 1 addition & 1 deletion package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
package: consent_manager
version: "5.3.2"
version: "5.3.3"
author: "Friends Of REDAXO"
supportpage: https://redaxo.org/support/community/#slack

Expand Down
Loading