Content of private messages not properly checked against malicious c…

…ode #1448
Admidio · Jun 21, 2023 · 1ec2301 · 1ec2301
1 parent 5910a8d
commit 1ec2301
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 10 deletions.
diff --git a/adm_program/modules/messages/messages_write.php b/adm_program/modules/messages/messages_write.php
@@ -253,7 +253,7 @@
     $form->addMultilineTextInput(
         'msg_body',
         $gL10n->get('SYS_MESSAGE'),
-        $message->getContent(),
+        $message->getContent('database'),
         10,
         array('maxLength' => 254, 'property' => HtmlForm::FIELD_REQUIRED)
     );
@@ -566,12 +566,12 @@
 
     // add multiline text element or ckeditor to form
     if ($gValidLogin && $gSettingsManager->getBool('mail_html_registered_users')) {
-        $form->addEditor('msg_body', '', $message->getContent(), array('property' => HtmlForm::FIELD_REQUIRED, 'helpTextIdInline' => ($gValidLogin && $gSettingsManager->getInt('mail_sending_mode') === Email::SENDINGMODE_SINGLE) ? array('SYS_EMAIL_PARAMETERS_DESC', array('#recipient_firstname#', '#recipient_lastname#', '#recipient_name#', '#recipient_email#')) : null));
+        $form->addEditor('msg_body', '', $message->getContent('database'), array('property' => HtmlForm::FIELD_REQUIRED, 'helpTextIdInline' => ($gValidLogin && $gSettingsManager->getInt('mail_sending_mode') === Email::SENDINGMODE_SINGLE) ? array('SYS_EMAIL_PARAMETERS_DESC', array('#recipient_firstname#', '#recipient_lastname#', '#recipient_name#', '#recipient_email#')) : null));
     } else {
         $form->addMultilineTextInput(
             'msg_body',
             $gL10n->get('SYS_TEXT'),
-            $message->getContent(),
+            $message->getContent('database'),
             10,
             array('property' => HtmlForm::FIELD_REQUIRED)
         );

diff --git a/adm_program/system/classes/TableMessage.php b/adm_program/system/classes/TableMessage.php
@@ -48,7 +48,7 @@ public function __construct(Database $database, $msgId = 0)
     {
         parent::__construct($database, TBL_MESSAGES, 'msg', $msgId);
 
-        $this->getContent();
+        $this->getContent('database');
     }
 
     /**
@@ -147,7 +147,7 @@ public function addUser($userId, $fullName = '')
      */
     public function addContent($content)
     {
-        $this->msgContentObject = new TableAccess($this->db, TBL_MESSAGES_CONTENT, 'msc');
+        $this->msgContentObject = new TableMessageContent($this->db);
         $this->msgContentObject->setValue('msc_msg_id', $this->getValue('msg_id'));
         $this->msgContentObject->setValue('msc_message', $content, false);
         $this->msgContentObject->setValue('msc_timestamp', DATETIME_NOW);
@@ -267,9 +267,10 @@ public function getAttachmentsInformations()
     /**
      * Get the content of the message or email. If it's a message conversation than only
      * the last content will be returned.
+     * @param string $format The format can be **database** that would return the original database value without any transformations
      * @return string Returns the content of the message.
      */
-    public function getContent()
+    public function getContent(string $format = ''): string
     {
         $content = '';
 
@@ -286,13 +287,13 @@ public function getContent()
                            )';
             $messageContentStatement = $this->db->queryPrepared($sql, array($this->getValue('msg_id')));
 
-            $this->msgContentObject = new TableAccess($this->db, TBL_MESSAGES_CONTENT, 'msc');
+            $this->msgContentObject = new TableMessageContent($this->db);
             $this->msgContentObject->setArray($messageContentStatement->fetch());
         }
 
         // read content of the content object
         if (is_object($this->msgContentObject)) {
-            $content = $this->msgContentObject->getValue('msc_message', 'database');
+            $content = $this->msgContentObject->getValue('msc_message', $format);
         }
 
         return $content;

diff --git a/adm_program/system/classes/TableMessageContent.php b/adm_program/system/classes/TableMessageContent.php
@@ -41,10 +41,10 @@ public function getValue($columnName, $format = '')
                 $value = html_entity_decode(StringUtils::strStripTags($this->dbColumns['msc_message']));
             } elseif($this->dbColumns['msc_message'] != strip_tags($this->dbColumns['msc_message'])) {
                 // text contains html
-                $value = htmlspecialchars_decode(stripslashes($this->dbColumns['msc_message']));
+                $value = htmlspecialchars_decode(stripslashes(SecurityUtils::encodeHTML($this->dbColumns['msc_message'])));
             } else {
                 // simple plain text than replace the line breaks
-                $value = nl2br($this->dbColumns['msc_message']);
+                $value = nl2br(SecurityUtils::encodeHTML($this->dbColumns['msc_message']));
             }
 
             return $value;