From 95bdbf76ba0761d7fa1e8a5f8334b790da0a394b Mon Sep 17 00:00:00 2001
From: Ryan Cramer <ryan@processwire.com>
Date: Mon, 12 Sep 2022 11:24:05 -0400
Subject: [PATCH] Add a csrf check to the Lister bookmarks form and make markup
 disallowed by default (with optional argument to enable it) in
 ProcessController ajax notification response generator (as used by some
 Lister errors).

Co-authored-by: filipaze <filipaze98@gmail.com>
Co-authored-by: rondons <guilhermetamagnini@gmail.com>
---
 wire/core/ProcessController.php                          | 9 ++++++---
 .../ProcessPageLister/ProcessPageListerBookmarks.php     | 5 ++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/wire/core/ProcessController.php b/wire/core/ProcessController.php
index 8a182cd4..94cfebff 100644
--- a/wire/core/ProcessController.php
+++ b/wire/core/ProcessController.php
@@ -81,6 +81,7 @@ class ProcessController extends Wire {
 	 *
 	 */
 	public function __construct() {
+		parent::__construct();
 		$this->prefix = 'Process';
 		$this->processMethodName = ''; // blank indicates default/index method
 	}
@@ -463,13 +464,15 @@ class ProcessController extends Wire {
 	 * 
 	 * @param string $msg
 	 * @param bool $error
+	 * @param bool $allowMarkup
 	 * @return string JSON encoded string
 	 *
 	 */
-	public function jsonMessage($msg, $error = false) {
+	public function jsonMessage($msg, $error = false, $allowMarkup = false) {
+		if(!$allowMarkup) $msg = $this->wire()->sanitizer->entities($msg);
 		return json_encode(array(
-			'error' => $error, 
-			'message' => $msg
+			'error' => (bool) $error, 
+			'message' => (string) $msg
 		)); 
 	}
 
diff --git a/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php b/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php
index 20efa0fd..db2bb0a3 100644
--- a/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php
+++ b/wire/modules/Process/ProcessPageLister/ProcessPageListerBookmarks.php
@@ -445,6 +445,7 @@ class ProcessPageListerBookmarks extends Wire {
 
 		$deleteBookmarkID = $this->bookmarks->_bookmarkID($input->post('delete_bookmark'));
 		if($deleteBookmarkID) {
+			$session->CSRF()->validate();
 			if($this->bookmarks->deleteBookmarkByID($deleteBookmarkID)) {
 				$this->message($this->_('Deleted bookmark'));
 			} else {
@@ -455,7 +456,9 @@ class ProcessPageListerBookmarks extends Wire {
 		}
 
 		if($input->post('bookmark_title')) {
-			return $this->executeSaveBookmark();
+			$session->CSRF()->validate();
+			$this->executeSaveBookmark();
+			return '';
 		}
 
 		$bookmarkID = $this->bookmarks->_bookmarkID($input->get('bookmark'));