Add a csrf check to the Lister bookmarks form and make markup disallowed by default (with optional argument to enable it) in ProcessController ajax notification response generator (as used by some Lister errors).

Co-authored-by: filipaze <filipaze98@gmail.com>
Co-authored-by: rondons <guilhermetamagnini@gmail.com>

wire/core/ProcessController.php

@@ -81,6 +81,7 @@ class ProcessController extends Wire {
 	 *
 	 */
 	public function __construct() {
+		parent::__construct();
 		$this->prefix = 'Process';
 		$this->processMethodName = ''; // blank indicates default/index method
 	}
@@ -463,13 +464,15 @@ class ProcessController extends Wire {
 	 * 
 	 * @param string $msg
 	 * @param bool $error
+	 * @param bool $allowMarkup
 	 * @return string JSON encoded string
 	 *
 	 */
-	public function jsonMessage($msg, $error = false) {
+	public function jsonMessage($msg, $error = false, $allowMarkup = false) {
+		if(!$allowMarkup) $msg = $this->wire()->sanitizer->entities($msg);
 		return json_encode(array(
-			'error' => $error, 
-			'message' => $msg
+			'error' => (bool) $error, 
+			'message' => (string) $msg
 		)); 
 	}
 

wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php

@@ -445,6 +445,7 @@ class ProcessPageListerBookmarks extends Wire {
 
 		$deleteBookmarkID = $this->bookmarks->_bookmarkID($input->post('delete_bookmark'));
 		if($deleteBookmarkID) {
+			$session->CSRF()->validate();
 			if($this->bookmarks->deleteBookmarkByID($deleteBookmarkID)) {
 				$this->message($this->_('Deleted bookmark'));
 			} else {
@@ -455,7 +456,9 @@ class ProcessPageListerBookmarks extends Wire {
 		}
 
 		if($input->post('bookmark_title')) {
-			return $this->executeSaveBookmark();
+			$session->CSRF()->validate();
+			$this->executeSaveBookmark();
+			return '';
 		}
 
 		$bookmarkID = $this->bookmarks->_bookmarkID($input->get('bookmark'));