From 082ab6e21a47940927407cc0bdc10875f5deb3fa Mon Sep 17 00:00:00 2001
From: dleffler <dleffler@hughes.net>
Date: Wed, 5 Nov 2014 09:11:41 -0500
Subject: [PATCH] Better job of scrubbing all params coming in either by sef or
 query url [#1230] (cherry picked from commit f8e878b)

---
 framework/core/subsystems/expRouter.php | 10 ++++++----
 framework/core/subsystems/expString.php |  2 +-
 framework/core/subsystems/expTheme.php  | 23 ++++++++++++++++-------
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/framework/core/subsystems/expRouter.php b/framework/core/subsystems/expRouter.php
index b985acca68..c9353abdc1 100644
--- a/framework/core/subsystems/expRouter.php
+++ b/framework/core/subsystems/expRouter.php
@@ -263,7 +263,7 @@ public function splitURL() {
         if (!empty($this->sefPath)) {
             $this->url_style = 'sef';
             $this->url_parts = explode('/', $this->sefPath);     
-            
+
             //if (empty($this->url_parts[count($this->url_parts)-1])) array_pop($this->url_parts);
             if ($this->url_parts[count($this->url_parts)-1] == '') array_pop($this->url_parts);
             if (empty($this->url_parts[0])) array_shift($this->url_parts);
@@ -501,7 +501,7 @@ public function buildCurrentUrl() {
         if ($this->url_style == 'sef') {
             $url .= substr(PATH_RELATIVE,0,-1).$this->sefPath;
         } else {
-            $url .= (empty($_SERVER['REQUEST_URI'])) ? $_ENV['REQUEST_URI'] : $_SERVER['REQUEST_URI'];
+            $url .= expString::sanitize(urldecode((empty($_SERVER['REQUEST_URI'])) ? $_ENV['REQUEST_URI'] : $_SERVER['REQUEST_URI']));
         }
         return $url;
     }
@@ -625,8 +625,8 @@ public function convertPartsToParams() {
                 $params[$name] = $val;
             }
         }
-        //TODO: fully sanitize all params values here for 
-        if (isset($params['src'])) $params['src'] = expString::sanitize(htmlspecialchars($params['src']));
+        //TODO: fully sanitize all params values here for ---We already do this!
+//        if (isset($params['src'])) $params['src'] = expString::sanitize(htmlspecialchars($params['src']));
         return $params;
     }
 
@@ -710,6 +710,8 @@ private function buildSEFPath () {
             }            
         }
         if (substr($this->sefPath,-1) == "/") $this->sefPath = substr($this->sefPath,0,-1);
+        // santize it
+        $this->sefPath = expString::sanitize($this->sefPath);
     }
 
     public function getSection() {
diff --git a/framework/core/subsystems/expString.php b/framework/core/subsystems/expString.php
index cc3530e45c..8d7a79e2da 100644
--- a/framework/core/subsystems/expString.php
+++ b/framework/core/subsystems/expString.php
@@ -234,7 +234,7 @@ public static function sanitize($data) {
             $data = self::escape($data);
         }
 
-        return $data;
+        return str_replace('\"/>', '', $data);
     }
 
     /**\
diff --git a/framework/core/subsystems/expTheme.php b/framework/core/subsystems/expTheme.php
index aa300d17d0..844ba25299 100755
--- a/framework/core/subsystems/expTheme.php
+++ b/framework/core/subsystems/expTheme.php
@@ -521,9 +521,10 @@ public static function getTheme()
 
         // if we are in an action, get the particulars for the module
         if (self::inAction()) {
-            $module = isset($_REQUEST['module']) ? expString::sanitize(
-                $_REQUEST['module']
-            ) : expString::sanitize($_REQUEST['controller']);
+//            $module = isset($_REQUEST['module']) ? expString::sanitize(
+//                $_REQUEST['module']
+//            ) : expString::sanitize($_REQUEST['controller']);
+            $module = isset($_REQUEST['module']) ? $_REQUEST['module'] : $_REQUEST['controller'];
         }
 
         // if we are in an action and have action maps to work with...
@@ -689,10 +690,13 @@ public static function runAction()
 //				echo "<a href='".$config['mainpage']."'>".$config['backlinktext']."</a><br /><br />";
 //			}
 
+            // clean our passed parameters
+            foreach ($_REQUEST as $key=>$param) {
+                $_REQUEST[$key] = expString::sanitize($param);
+            }
+
             //FIXME: module/controller glue code..remove ASAP
-            $module = empty($_REQUEST['controller']) ? expString::sanitize($_REQUEST['module']) : expString::sanitize(
-                $_REQUEST['controller']
-            );
+            $module = empty($_REQUEST['controller']) ? $_REQUEST['module'] : $_REQUEST['controller'];
 //			$isController = expModules::controllerExists($module);
 
 //			if ($isController && !isset($_REQUEST['_common'])) {
@@ -763,7 +767,8 @@ public static function showAction($module, $action, $src = "", $params = array()
         $actfile = "/" . $module . "/actions/" . $action . ".php";
         if (isset($params)) {
             foreach ($params as $key => $value) {
-                $_GET[$key] = $value;
+//                $_GET[$key] = $value;
+                $_GET[$key] = expString::sanitize($value);
             }
         }
         //if (isset($['_common'])) $actfile = "/common/actions/" . $_REQUEST['action'] . ".php";
@@ -773,6 +778,10 @@ public static function showAction($module, $action, $src = "", $params = array()
 //   		} elseif (is_readable(BASE.'framework/modules-1/'.$actfile)) {
 //   			include(BASE.'framework/modules-1/'.$actfile);
         } else {
+            // clean our passed parameters
+            foreach ($_REQUEST as $key=>$param) {
+                $_REQUEST[$key] = expString::sanitize($param);
+            }
 //   			echo SITE_404_HTML . '<br /><br /><hr size="1" />';
             notfoundController::handle_not_found();
             echo '<br /><hr size="1" />';