From 4f3f40a6c4482bb1f3690ac121b4d5d8361ebae8 Mon Sep 17 00:00:00 2001 From: Diego Najar Date: Sat, 12 Oct 2019 11:35:35 +0200 Subject: [PATCH] Remove HTML and PHP tags from the users,categories and tags fields, prevent XSS --- bl-kernel/abstract/dblist.class.php | 12 ++++++------ bl-kernel/helpers/sanitize.class.php | 4 +++- bl-kernel/users.class.php | 10 ++++++++-- 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/bl-kernel/abstract/dblist.class.php b/bl-kernel/abstract/dblist.class.php index cd0ec5d5..8af914f1 100644 --- a/bl-kernel/abstract/dblist.class.php +++ b/bl-kernel/abstract/dblist.class.php @@ -80,9 +80,9 @@ class dbList extends dbJSON { $key = $this->generateKey($args['name']); - $this->db[$key]['name'] = $args['name']; - $this->db[$key]['template'] = isset($args['template'])?$args['template']:''; - $this->db[$key]['description'] = isset($args['description'])?$args['description']:''; + $this->db[$key]['name'] = Sanitize::removeTags($args['name']); + $this->db[$key]['template'] = isset($args['template'])?Sanitize::removeTags($args['template']):''; + $this->db[$key]['description'] = isset($args['description'])?Sanitize::removeTags($args['description']):''; $this->db[$key]['list'] = isset($args['list'])?$args['list']:array(); $this->sortAlphanumeric(); @@ -110,9 +110,9 @@ class dbList extends dbJSON return false; } - $this->db[$args['newKey']]['name'] = $args['name']; - $this->db[$args['newKey']]['template'] = isset($args['template'])?$args['template']:''; - $this->db[$args['newKey']]['description'] = isset($args['description'])?$args['description']:''; + $this->db[$args['newKey']]['name'] = Sanitize::removeTags($args['name']); + $this->db[$args['newKey']]['template'] = isset($args['template'])?Sanitize::removeTags($args['template']):''; + $this->db[$args['newKey']]['description'] = isset($args['description'])?Sanitize::removeTags($args['description']):''; $this->db[$args['newKey']]['list'] = $this->db[$args['oldKey']]['list']; // Remove the old category diff --git a/bl-kernel/helpers/sanitize.class.php b/bl-kernel/helpers/sanitize.class.php index f8226afc..327e5bd4 100644 --- a/bl-kernel/helpers/sanitize.class.php +++ b/bl-kernel/helpers/sanitize.class.php @@ -2,7 +2,9 @@ class Sanitize { - // new + public static function removeTags($text) { + return strip_tags($text); + } // Convert special characters to HTML entities public static function html($text) diff --git a/bl-kernel/users.class.php b/bl-kernel/users.class.php index 3b2c57d7..b57899f9 100644 --- a/bl-kernel/users.class.php +++ b/bl-kernel/users.class.php @@ -69,8 +69,11 @@ class Users extends dbJSON { $row = array(); foreach ($this->dbFields as $field=>$value) { if (isset($args[$field])) { + $finalValue = $args[$field]; + // Remove HTML and PHP tags + $finalValue = Sanitize::removeTags($finalValue); // Sanitize if will be stored on database - $finalValue = Sanitize::html($args[$field]); + $finalValue = Sanitize::html($finalValue); } else { // Default value for the field if not defined $finalValue = $value; @@ -100,8 +103,11 @@ class Users extends dbJSON { foreach ($this->dbFields as $field=>$value) { if ($field!=='password') { if (isset($args[$field])) { + $finalValue = $args[$field]; + // Remove HTML and PHP tags + $finalValue = Sanitize::removeTags($finalValue); // Sanitize if will be stored on database - $finalValue = Sanitize::html($args[$field]); + $finalValue = Sanitize::html($finalValue); } else { // Default value is the current one $finalValue = $row[$field];