<?phpdeclare(strict_types=1);namespace SpringerNature\CPS\AMEDReviewTracker\Web\Listener;use Symfony\Component\HttpKernel\Event\RequestEvent;/** * Kernel Listener that removes the Easy Admin 'referer' parameter if it is not a valid Easy Admin path. * The `referer` parameter is vulnerable to XSS injection. * * Note: This is not meant as a permanent solution, rather serves as a stopgap. */class EasyAdminRefererListener{ public const HTTP_PARAMETER_REFERER = 'referer'; private const EASY_ADMIN_ROOT_PATH = '/admin/management/'; public function onKernelRequest(RequestEvent $e): void { if ($e->getRequest()->query->has(self::HTTP_PARAMETER_REFERER)) { $referer = urldecode($e->getRequest()->query->get(self::HTTP_PARAMETER_REFERER)); if ((0 !== strpos($referer, self::EASY_ADMIN_ROOT_PATH)) || filter_var($referer, FILTER_VALIDATE_URL)) { $e->getRequest()->query->remove(self::HTTP_PARAMETER_REFERER); return; } $e->getRequest()->query->set(self::HTTP_PARAMETER_REFERER, filter_var($referer, FILTER_SANITIZE_ENCODED)); } }}