Fixed issue #17526: Filter html_entity_decode at save (#2017)

Co-authored-by: encuestabizdevgit <devgit@encuesta.biz>
LimeSurvey · Sep 27, 2021 · 6da7e44 · 6da7e44
1 parent f044289
commit 6da7e44
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/application/core/LSYii_Validators.php b/application/core/LSYii_Validators.php
@@ -115,7 +115,8 @@ public function xssFilter($value)
         $filter = LSYii_HtmlPurifier::getXssPurifier();
 
         /** Start to get complete filtered value with  url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/
-        $sFiltered = preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#', '{$1}', $filter->purify($value));
+        $sFiltered = $filter->purify($value);
+        $sFiltered = preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#', '{$1}', $sFiltered);
         Yii::import('application.helpers.expressions.em_core_helper', true); // Already imported in em_manager_helper.php ?
         $oExpressionManager = new ExpressionManager();
         /**  We get 2 array : one filtered, other unfiltered **/
@@ -136,6 +137,8 @@ public function xssFilter($value)
                         $sNewValue .= "\"" . (string) $filter->purify($aParsedExpression[0]) . "\""; // This disallow complex HTML construction with XSS
                     } elseif ($aParsedExpression[2] == 'SQ_STRING') {
                         $sNewValue .= "'" . (string) $filter->purify($aParsedExpression[0]) . "'";
+                    } elseif ($aParsedExpression[2] == 'WORD') {
+                        $sNewValue .= str_replace("html_entity_decode", "", $aParsedExpression[0]);
                     } else {
                         $sNewValue .= $aParsedExpression[0];
                     }

diff --git a/tests/unit/LSYiiValidatorsTest.php b/tests/unit/LSYiiValidatorsTest.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace ls\tests;
+
+/**
+ * Test LSYii_Validators class.
+ */
+class LSYiiValidatorsTest extends TestBaseClass
+{
+    /**
+     * Test filtering of html_entity_decode.
+     */
+    public function testHtmlEntityDecodeFilter()
+    {
+        // First, we define the cases to test. Array keys are the strings to filter, and values are the expected result
+        $cases = [
+            "html_entity_decode('&amp;')" => "html_entity_decode('&amp;')", // Not an expression, so it shouldn't be changed.
+            "{html_entity_decode('&amp;')}" => "{('&amp;')}",   // Used as a function in an expression, so it should be removed.
+            "{join(\"&#123;\",'html_entity_decode(\"&amp;amp;\")',\"&#125;\")}" => "{join(\"{\",'html_entity_decode(\"&amp;amp;\")',\"}\")}",   // Inside a function but as a string, so it's not removed.
+        ];
+
+        $validator = new \LSYii_Validators();
+
+        // Test each case
+        foreach ($cases as $string => $expected) {
+            $actual = $validator->xssFilter($string);
+            $this->assertEquals($expected, $actual);
+        }
+    }
+}