Skip to content

Commit

Permalink
Invalid input check #1511
Browse files Browse the repository at this point in the history
  • Loading branch information
Fasse committed Oct 30, 2023
1 parent 4417744 commit 3fbf9b4
Show file tree
Hide file tree
Showing 19 changed files with 47 additions and 28 deletions.
2 changes: 1 addition & 1 deletion adm_program/modules/announcements/announcements_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
if (isset($_SESSION['announcements_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$announcement->setArray($_SESSION['announcements_request']);
$announcement->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['announcements_request'])));
unset($_SESSION['announcements_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/categories/categories_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@
if (isset($_SESSION['categories_request'])) {
// By wrong input, the user returned to this form now write the previously entered contents into the object

$category->setArray($_SESSION['categories_request']);
$category->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['categories_request'])));

// get the selected roles for visibility
if (isset($_SESSION['categories_request']['adm_categories_view_right'])) {
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/dates/dates_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
if ((string) $_SESSION['dates_request']['date_deadline'] !== '') {
$_SESSION['dates_request']['dat_deadline'] = $_SESSION['dates_request']['date_deadline'] . ' ' . $_SESSION['dates_request']['date_deadline_time'];
}
$date->setArray($_SESSION['dates_request']);
$date->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['dates_request'])));

// get the selected roles for visibility
if (isset($_SESSION['dates_request']['adm_event_participation_right']) && $_SESSION['dates_request']['adm_event_participation_right'] !== '') {
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/documents-files/folder_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
$gNavigation->addUrl(CURRENT_URL, $headline);

if (isset($_SESSION['documents_files_request'])) {
$formValues = $_SESSION['documents_files_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['documents_files_request']));
unset($_SESSION['documents_files_request']);
} else {
$formValues['new_folder'] = '';
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/documents-files/rename.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
$gNavigation->addUrl(CURRENT_URL, $headline);

if (isset($_SESSION['documents_files_request'])) {
$formValues = $_SESSION['documents_files_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['documents_files_request']));
unset($_SESSION['documents_files_request']);
} else {
$formValues['new_name'] = null;
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/groups-roles/groups_roles_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
if (isset($_SESSION['roles_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$role->setArray($_SESSION['roles_request']);
$role->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['roles_request'])));
unset($_SESSION['roles_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/groups-roles/mylist.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
$list->readDataByUuid($getListUuid);

if (isset($_SESSION['mylist_request'])) {
$formValues = $_SESSION['mylist_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['mylist_request']));
unset($_SESSION['mylist_request']);

if (!isset($formValues['cbx_global_configuration'])) {
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/guestbook/guestbook_comment_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@
if (isset($_SESSION['guestbook_comment_request'])) {
// durch fehlerhafte Eingabe ist der User zu diesem Formular zurueckgekehrt
// nun die vorher eingegebenen Inhalte ins Objekt schreiben
$gbComment->setArray($_SESSION['guestbook_comment_request']);
$gbComment->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['guestbook_comment_request'])));
unset($_SESSION['guestbook_comment_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/guestbook/guestbook_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@

if (isset($_SESSION['guestbook_entry_request'])) {
// due to a wrong input the user has returned to this form, now write the previously entered content into the object
$guestbook->setArray($_SESSION['guestbook_entry_request']);
$guestbook->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['guestbook_entry_request'])));
unset($_SESSION['guestbook_entry_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/links/links_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
if (isset($_SESSION['links_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$link->setArray($_SESSION['links_request']);
$link->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['links_request'])));
unset($_SESSION['links_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/members/import.php
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
if (isset($_SESSION['import_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$formValues = $_SESSION['import_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['import_request']));
unset($_SESSION['import_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/members/import_column_config.php
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
if (isset($_SESSION['import_csv_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$formValues = $_SESSION['import_csv_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['import_csv_request']));
unset($_SESSION['import_csv_request']);
if (!isset($form['first_row'])) {
$formValues['first_row'] = false;
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/menu/menu_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ function subMenu(array &$menuList, int $level, int $menId, int $parentId = null)
if (isset($_SESSION['menu_request'])) {
// due to incorrect input, the user has returned to this form
// Now write the previously entered content into the object
$menu->setArray($_SESSION['menu_request']);
$menu->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['menu_request'])));
unset($_SESSION['menu_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/messages/messages_write.php
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@
if (isset($_SESSION['message_request'])) {
$message->setArray($_SESSION['message_request']);
$message->addContent($_SESSION['message_request']['msg_body']);
$formValues = $_SESSION['message_request'];
$formValues = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['message_request']));
unset($_SESSION['message_request']);

if (!isset($formValues['carbon_copy'])) {
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/photos/photo_album_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
if (isset($_SESSION['photo_album_request'])) {
// durch fehlerhafte Eingabe ist der User zu diesem Formular zurueckgekehrt
// nun die vorher eingegebenen Inhalte ins Objekt schreiben
$photoAlbum->setArray($_SESSION['photo_album_request']);
$photoAlbum->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['photo_album_request'])));
unset($_SESSION['photo_album_request']);
}

Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/profile-fields/profile_fields_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@

// due to incorrect input, the user has returned to this form
// Now write the previously entered content into the object
$userField->setArray($_SESSION['fields_request']);
$userField->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['fields_request'])));
unset($_SESSION['fields_request']);
}

Expand Down
6 changes: 3 additions & 3 deletions adm_program/modules/profile/profile_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -117,15 +117,15 @@
foreach ($gProfileFields->getProfileFields() as $field) {
$fieldName = 'usf-'. (int) $field->getValue('usf_id');
if (isset($_SESSION['profile_request'][$fieldName])) {
$user->setProfileFieldsValue($field->getValue('usf_name_intern'), stripslashes($_SESSION['profile_request'][$fieldName]), false);
$user->setProfileFieldsValue($field->getValue('usf_name_intern'), SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['profile_request'][$fieldName])), false);
}
}

if (isset($_SESSION['profile_request']['usr_login_name'])) {
$user->setArray(array('usr_login_name' => $_SESSION['profile_request']['usr_login_name']));
$user->setArray(array('usr_login_name' => SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['profile_request']['usr_login_name']))));
}
if (isset($_SESSION['profile_request']['reg_org_id'])) {
$registrationOrgId = $_SESSION['profile_request']['reg_org_id'];
$registrationOrgId = SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['profile_request']['reg_org_id']));
}

unset($_SESSION['profile_request']);
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/rooms/rooms_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
if (isset($_SESSION['rooms_request'])) {
// due to incorrect input the user has returned to this form
// now write the previously entered contents into the object
$room->setArray($_SESSION['rooms_request']);
$room->setArray(SecurityUtils::encodeHTML(StringUtils::strStripTags($_SESSION['rooms_request'])));
unset($_SESSION['rooms_request']);
}

Expand Down
35 changes: 27 additions & 8 deletions adm_program/system/classes/SecurityUtils.php
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,39 @@ final class SecurityUtils
/**
* Encodes all HTML special characters
* If $encodeAll is false, this method is only secure if encoding is not UTF-7
* @param string $input The input string
* @param string|array<mixed,string> $input The input string
* @param bool $encodeAll Set true too encode really all HTML special characters
* @param string $encoding Define character encoding to use
* @return string Encoded string
* @return string|array<mixed,string> Encoded string
*/
public static function encodeHTML(string $input, bool $encodeAll = false, string $encoding = 'UTF-8')
public static function encodeHTML($input, bool $encodeAll = false, string $encoding = 'UTF-8')
{
if ($encodeAll) {
// Encodes: all special HTML characters
return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding);
if (is_array($input)) {
// call function for every array element
if ($encodeAll) {
// Encodes: all special HTML characters
function myHtmlentities($value) {
return htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
$input = array_map('myHtmlentities', $input);
} else {
// Encodes: &, ", ', <, >
function myHtmlspecialchars($value) {
return htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
$input = array_map('myHtmlspecialchars', $input);
}
} else {
if ($encodeAll) {
// Encodes: all special HTML characters
$input = htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding);
} else {
// Encodes: &, ", ', <, >
$input = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, $encoding);
}
}

// Encodes: &, ", ', <, >
return htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, $encoding);
return $input;
}

/**
Expand Down

0 comments on commit 3fbf9b4

Please sign in to comment.