Remove HTML and PHP tags from the users,categories and tags fields, prevent XSS
This commit is contained in:
parent
bc79794784
commit
4f3f40a6c4
@ -80,9 +80,9 @@ class dbList extends dbJSON
|
||||
{
|
||||
$key = $this->generateKey($args['name']);
|
||||
|
||||
$this->db[$key]['name'] = $args['name'];
|
||||
$this->db[$key]['template'] = isset($args['template'])?$args['template']:'';
|
||||
$this->db[$key]['description'] = isset($args['description'])?$args['description']:'';
|
||||
$this->db[$key]['name'] = Sanitize::removeTags($args['name']);
|
||||
$this->db[$key]['template'] = isset($args['template'])?Sanitize::removeTags($args['template']):'';
|
||||
$this->db[$key]['description'] = isset($args['description'])?Sanitize::removeTags($args['description']):'';
|
||||
$this->db[$key]['list'] = isset($args['list'])?$args['list']:array();
|
||||
|
||||
$this->sortAlphanumeric();
|
||||
@ -110,9 +110,9 @@ class dbList extends dbJSON
|
||||
return false;
|
||||
}
|
||||
|
||||
$this->db[$args['newKey']]['name'] = $args['name'];
|
||||
$this->db[$args['newKey']]['template'] = isset($args['template'])?$args['template']:'';
|
||||
$this->db[$args['newKey']]['description'] = isset($args['description'])?$args['description']:'';
|
||||
$this->db[$args['newKey']]['name'] = Sanitize::removeTags($args['name']);
|
||||
$this->db[$args['newKey']]['template'] = isset($args['template'])?Sanitize::removeTags($args['template']):'';
|
||||
$this->db[$args['newKey']]['description'] = isset($args['description'])?Sanitize::removeTags($args['description']):'';
|
||||
$this->db[$args['newKey']]['list'] = $this->db[$args['oldKey']]['list'];
|
||||
|
||||
// Remove the old category
|
||||
|
@ -2,7 +2,9 @@
|
||||
|
||||
class Sanitize {
|
||||
|
||||
// new
|
||||
public static function removeTags($text) {
|
||||
return strip_tags($text);
|
||||
}
|
||||
|
||||
// Convert special characters to HTML entities
|
||||
public static function html($text)
|
||||
|
@ -69,8 +69,11 @@ class Users extends dbJSON {
|
||||
$row = array();
|
||||
foreach ($this->dbFields as $field=>$value) {
|
||||
if (isset($args[$field])) {
|
||||
$finalValue = $args[$field];
|
||||
// Remove HTML and PHP tags
|
||||
$finalValue = Sanitize::removeTags($finalValue);
|
||||
// Sanitize if will be stored on database
|
||||
$finalValue = Sanitize::html($args[$field]);
|
||||
$finalValue = Sanitize::html($finalValue);
|
||||
} else {
|
||||
// Default value for the field if not defined
|
||||
$finalValue = $value;
|
||||
@ -100,8 +103,11 @@ class Users extends dbJSON {
|
||||
foreach ($this->dbFields as $field=>$value) {
|
||||
if ($field!=='password') {
|
||||
if (isset($args[$field])) {
|
||||
$finalValue = $args[$field];
|
||||
// Remove HTML and PHP tags
|
||||
$finalValue = Sanitize::removeTags($finalValue);
|
||||
// Sanitize if will be stored on database
|
||||
$finalValue = Sanitize::html($args[$field]);
|
||||
$finalValue = Sanitize::html($finalValue);
|
||||
} else {
|
||||
// Default value is the current one
|
||||
$finalValue = $row[$field];
|
||||
|
Loading…
Reference in New Issue
Block a user