Security fixes / Preview fix (#455)

* security fixes and theme preview

* securit fix replace

* Update CHANGELOG.md

* 5.3.3

* namespace guide entfernt

Author: skerbis

CHANGELOG.md

@@ -1,5 +1,15 @@
 # REDAXO consent_manager - Changelog
 
+## Version 5.3.3 - 29.01.2026
+
+- **Fix:** JSON Parsing Fehler im Frontend behoben (`double-escaping` von HTML-Attributen entfernt), was zu Fehlern beim Laden der Cookie-Gruppen führte (`safeJSONParse failed`).
+
+- **Fix:** Fehler beim Laden von Framework-Templates behoben (`Call to undefined method rex_fragment::subparse()`).
+- **Security:** XSS-Schwachstelle in `consent_manager_outputjs` behoben (Input-Sanitizing für `cid` und `v` Parameter).
+- **Security:** Schutz vor Host-Header Injection im Frontend-Output.
+- **Fix:** JavaScript Syntax-Fehler durch verbessertes Template-Escaping behoben (`json_encode` statt string replace).
+- **Fix:** Google Consent Mode v2 Script auf ES5 Syntax aktualisiert (SyntaxError Fix für ältere Umgebungen).
+
 ## Version 5.3.0 - 28.01.2026
 
 **🚀 Release-Highlights:**  

Namespace-Guide.md

@@ -22,7 +22,7 @@
 // Check for CSS Framework Mode
 $cssFrameworkMode = rex_addon::get('consent_manager')->getConfig('css_framework_mode');
 if ($cssFrameworkMode) {
-    echo $this->subparse('ConsentManager/box_' . $cssFrameworkMode . '.php');
+    echo $this->parse('ConsentManager/box_' . $cssFrameworkMode . '.php');
     return;
 }
 

assets/consent_cookie_helper.js

@@ -259,17 +259,20 @@ public function outputJavascript(): never
             /** @phpstan-ignore-next-line */
             $boxtemplate = sprogdown($boxtemplate, $clang);
         }
-        $boxtemplate = str_replace("'", "\\'", $boxtemplate);
         $boxtemplate = str_replace("\r", '', $boxtemplate);
         $boxtemplate = str_replace("\n", ' ', $boxtemplate);
 
         echo '/* --- Parameters --- */' . PHP_EOL;
+        // Sanitize input parameters to prevent XSS
+        $cacheLogId = preg_replace('/[^a-zA-Z0-9_\-]/', '', rex_request::get('cid', 'string', ''));
+        $version = preg_replace('/[^0-9.]/', '', rex_request::get('v', 'string', ''));
+
         $consent_manager_parameters = [
             'initially_hidden' => 'true' === rex_request::get('i', 'string', 'false'),
             'domain' => Utility::hostname(),
             'consentid' => uniqid('', true),
-            'cachelogid' => rex_request::get('cid', 'string', ''),
-            'version' => rex_request::get('v', 'string', ''),
+            'cachelogid' => $cacheLogId,
+            'version' => $version,
             'fe_controller' => rex_url::frontend(),
             'forcereload' => rex_request::get('r', 'int', 0),
             'hidebodyscrollbar' => 'true' === rex_request::get('h', 'string', 'false'),
@@ -278,12 +281,9 @@ public function outputJavascript(): never
             'cookieSecure' => (bool) $addon->getConfig('cookie_secure', false),
             'cookieName' => $addon->getConfig('cookie_name', 'consentmanager'),
         ];
-        echo 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES) . ';' . PHP_EOL . PHP_EOL;
+        echo 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;
         echo '/* --- Consent-Manager Box Template lang=' . $clang . ' --- */' . PHP_EOL;
-        echo 'var consent_manager_box_template = \'';
-        // REXSTAN: meldet «Binary operation "." between array<string>|string and '\';' results in an error.»
-        // Das ist definitiv falsch und eine Fehlinterpretation wegen obigem «$boxtemplate = str_replace(...»
-        echo $boxtemplate . '\';' . PHP_EOL . PHP_EOL;
+        echo 'var consent_manager_box_template = ' . json_encode($boxtemplate, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;
 
         $lifespan = $addon->getConfig('lifespan', 365);
         if ('' === $lifespan) {
@@ -454,11 +454,6 @@ public static function getJS(): string
             $boxtemplate = is_string($sprogResult) ? $sprogResult : $boxtemplate;
         }
 
-        // Escape for JavaScript
-        $boxtemplate = str_replace("'", "\\'", $boxtemplate);
-        $boxtemplate = str_replace("\r", '', $boxtemplate);
-        $boxtemplate = str_replace("\n", ' ', $boxtemplate);
-
         $output = '';
 
         // Parameters
@@ -477,13 +472,11 @@ public static function getJS(): string
             'cookieSecure' => (bool) $addon->getConfig('cookie_secure', false),
             'cookieName' => $addon->getConfig('cookie_name', 'consentmanager'),
         ];
-        $output .= 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES) . ';' . PHP_EOL . PHP_EOL;
+        $output .= 'var consent_manager_parameters = ' . json_encode($consent_manager_parameters, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;
 
         // Box template
         $output .= '/* --- Consent-Manager Box Template lang=' . $clang . ' --- */' . PHP_EOL;
-        $output .= 'var consent_manager_box_template = \'';
-        // $boxtemplate is guaranteed to be string after above checks
-        $output .= $boxtemplate . '\';' . PHP_EOL . PHP_EOL;
+        $output .= 'var consent_manager_box_template = ' . json_encode($boxtemplate, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) . ';' . PHP_EOL . PHP_EOL;
 
         // Cookie expiration
         $lifespan = $addon->getConfig('lifespan', 365);