<?php
declare(strict_types=1);
namespace SpringerNature\CPS\AMEDReviewTracker\Web\Listener;
use Symfony\Component\HttpKernel\Event\RequestEvent;
/**
* Kernel Listener that removes the Easy Admin 'referer' parameter if it is not a valid Easy Admin path.
* The `referer` parameter is vulnerable to XSS injection.
*
* Note: This is not meant as a permanent solution, rather serves as a stopgap.
*/
class EasyAdminRefererListener
{
public const HTTP_PARAMETER_REFERER = 'referer';
private const EASY_ADMIN_ROOT_PATH = '/admin/management/';
public function onKernelRequest(RequestEvent $e): void
{
if ($e->getRequest()->query->has(self::HTTP_PARAMETER_REFERER)) {
$referer = urldecode($e->getRequest()->query->get(self::HTTP_PARAMETER_REFERER));
if ((0 !== strpos($referer, self::EASY_ADMIN_ROOT_PATH)) || filter_var($referer, FILTER_VALIDATE_URL)) {
$e->getRequest()->query->remove(self::HTTP_PARAMETER_REFERER);
return;
}
$e->getRequest()->query->set(self::HTTP_PARAMETER_REFERER, filter_var($referer, FILTER_SANITIZE_ENCODED));
}
}
}