MC-15311: [Sec] PageBuilder XSS Injection Possible Through Block on HTML Code Content Type For CSS Classes Attribute & in TinyMCE

anthoula · anthoula · commit 722a9e043fd8 · 2019-03-08T08:25:41.000-06:00
- allow spaces in css class field
diff --git a/app/code/Magento/PageBuilder/view/adminhtml/web/js/form/element/validator-rules-mixin.js b/app/code/Magento/PageBuilder/view/adminhtml/web/js/form/element/validator-rules-mixin.js
@@ -58,7 +58,7 @@ define([
      * @return {Boolean}
      */
     function validateCssClass(str) {
-        return (/^[a-zA-Z_\-\d]+$/i).test(str);
+        return (/^[a-zA-Z _\-\d]+$/i).test(str);
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ define([`
`58`	`58`	`* @return {Boolean}`
`59`	`59`	`*/`
`60`	`60`	`function validateCssClass(str) {`
`61`		`- return (/^[a-zA-Z_\-\d]+$/i).test(str);`
	`61`	`+ return (/^[a-zA-Z _\-\d]+$/i).test(str);`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`/**`