Prevent some possible XSS

Few fixes Enhance type hinting
galette · Apr 5, 2021 · 514418d · 514418d
1 parent e0d5f68
commit 514418d
Show file tree

Hide file tree

Showing 11 changed files with 27 additions and 24 deletions.
diff --git a/galette/lib/Galette/Controllers/AuthController.php b/galette/lib/Galette/Controllers/AuthController.php
@@ -305,7 +305,7 @@ public function retrievePassword(Request $request, Response $response, int $id_a
             $login_adh = $adh->login;
         } else {
             $post = $request->getParsedBody();
-            $login_adh = $post['login'];
+            $login_adh = htmlspecialchars($post['login'], ENT_QUOTES);
             $adh = new Adherent($this->zdb, $login_adh);
         }
 

diff --git a/galette/lib/Galette/Controllers/Crud/MembersController.php b/galette/lib/Galette/Controllers/Crud/MembersController.php
@@ -397,7 +397,7 @@ public function filterPublicList(Request $request, Response $response, string $t
         } else {
             //number of rows to show
             if (isset($post['nbshow'])) {
-                $filters->show = $post['nbshow'];
+                $filters->show = (int)$post['nbshow'];
             }
         }
 
@@ -654,7 +654,7 @@ public function filter(Request $request, Response $response): Response
             }
             //number of rows to show
             if (isset($post['nbshow'])) {
-                $filters->show = $post['nbshow'];
+                $filters->show = (int)$post['nbshow'];
             }
 
             if (isset($post['advanced_filtering'])) {
@@ -674,7 +674,7 @@ public function filter(Request $request, Response $response): Response
                                     trim($f) !== ''
                                     && trim($post['free_text'][$i]) !== ''
                                 ) {
-                                    $fs_search = $post['free_text'][$i];
+                                    $fs_search = htmlspecialchars($post['free_text'][$i], ENT_QUOTES);
                                     $log_op
                                         = (int)$post['free_logical_operator'][$i];
                                     $qry_op
@@ -871,7 +871,7 @@ public function ajaxList(Request $request, Response $response, string $option =
 
         //numbers of rows to display
         if (isset($post['nbshow']) && is_numeric($post['nbshow'])) {
-            $filters->show = $post['nbshow'];
+            $filters->show = (int)$post['nbshow'];
         }
 
         $members = new Members($filters);
@@ -966,11 +966,11 @@ public function ajaxList(Request $request, Response $response, string $option =
         }
 
         if (isset($post['gid'])) {
-            $params['the_id'] = $post['gid'];
+            $params['the_id'] = (int)$post['gid'];
         }
 
         if (isset($post['id_adh'])) {
-            $params['excluded'] = $post['id_adh'];
+            $params['excluded'] = (int)$post['id_adh'];
         }
 
         // display page

diff --git a/galette/lib/Galette/Controllers/DynamicTranslationsController.php b/galette/lib/Galette/Controllers/DynamicTranslationsController.php
@@ -170,6 +170,7 @@ public function dynamicTranslations(Request $request, Response $response, string
     public function doDynamicTranslations(Request $request, Response $response): Response
     {
         $post = $request->getParsedBody();
+        $post['text_orig'] = htmlspecialchars($post['text_orig'], ENT_QUOTES);
         $error_detected = [];
 
         if (isset($post['trans']) && isset($post['text_orig'])) {

diff --git a/galette/lib/Galette/Controllers/GaletteController.php b/galette/lib/Galette/Controllers/GaletteController.php
@@ -540,7 +540,7 @@ public function storeCoreFieldsConfig(Request $request, Response $response): Res
 
             $res[$current_cat][] = array(
                 'field_id'  =>  $field,
-                'label'     =>  $post[$field . '_label'],
+                'label'     =>  htmlspecialchars($post[$field . '_label'], ENT_QUOTES),
                 'category'  =>  $post[$field . '_category'],
                 'visible'   =>  $post[$field . '_visible'],
                 'required'  =>  $required

diff --git a/galette/lib/Galette/Controllers/HistoryController.php b/galette/lib/Galette/Controllers/HistoryController.php
@@ -141,7 +141,7 @@ public function historyFilter(Request $request, Response $response): Response
             if (
                 (isset($post['nbshow']) && is_numeric($post['nbshow']))
             ) {
-                $filters->show = $post['nbshow'];
+                $filters->show = (int)$post['nbshow'];
             }
 
             if (isset($post['end_date_filter']) || isset($post['start_date_filter'])) {

diff --git a/galette/lib/Galette/Controllers/PdfController.php b/galette/lib/Galette/Controllers/PdfController.php
@@ -580,7 +580,7 @@ public function storeModels(Request $request, Response $response): Response
             $type = (int)$post['model_type'];
             $class = PdfModel::getTypeClass($type);
             if (isset($post[PdfModel::PK])) {
-                $model = new $class($this->zdb, $this->preferences, (int)$_POST[PdfModel::PK]);
+                $model = new $class($this->zdb, $this->preferences, (int)$post[PdfModel::PK]);
             } else {
                 $model = new $class($this->zdb, $this->preferences);
             }

diff --git a/galette/lib/Galette/Controllers/PluginsController.php b/galette/lib/Galette/Controllers/PluginsController.php
@@ -203,8 +203,8 @@ public function initPluginDb(Request $request, Response $response, string $id):
             $install->atPreviousStep();
         } elseif (isset($post['install_prefs_ok'])) {
             $install->atEndStep();
-        } elseif (isset($_POST['previous_version'])) {
-            $install->setInstalledVersion($_POST['previous_version']);
+        } elseif (isset($post['previous_version'])) {
+            $install->setInstalledVersion($post['previous_version']);
             $install->atDbUpgradeStep();
         } elseif (isset($post['install_dbperms_ok'])) {
             if ($install->isInstall()) {
@@ -286,7 +286,7 @@ public function initPluginDb(Request $request, Response $response, string $id):
                     $update_scripts = Install::getUpdateScripts(
                         $plugin['root'],
                         TYPE_DB,
-                        $_POST['previous_version']
+                        $post['previous_version']
                     );
                 } else {
                     $update_scripts['current'] = TYPE_DB . '.sql';

diff --git a/galette/lib/Galette/Entity/Adherent.php b/galette/lib/Galette/Entity/Adherent.php
@@ -889,7 +889,7 @@ public static function getNameWithCase($name, $surname, $title = false, $id = fa
         if ($id !== false || $nick !== false) {
             $str .= ')';
         }
-        return $str;
+        return strip_tags($str);
     }
 
     /**
@@ -1679,7 +1679,7 @@ public function __get($name)
                         if ($this->_address_continuation !== '' && $this->_address_continuation !== null) {
                             $address .= "\n" . $this->_address_continuation;
                         }
-                        return $address;
+                        return htmlspecialchars($address, ENT_QUOTES);
                         break;
                     case 'sname':
                         return $this->getNameWithCase($this->_name, $this->_surname);

diff --git a/galette/templates/default/gestion_adherents.tpl b/galette/templates/default/gestion_adherents.tpl
@@ -221,16 +221,18 @@ We have to use a template file, so Smarty will do its work (like replacing varia
                         <img src="{base_url}/{$template_subdir}images/icon-empty.png" alt="" width="16" height="16"/>
             {/if}
                         {assign var="mid" value=$member->id}
-                        <a href="{path_for name="member" data=["id" => $member->id]}">{$member->sname}{if $member->company_name} ({$member->company_name}){/if}</a>
+                        <a href="{path_for name="member" data=["id" => $member->id]}">{$member->sname}{if $member->company_name} ({$member->company_name|escape}){/if}</a>
                     </td>
         {else}
             {assign var="lrclass" value=$rclass}
             {assign var="propname" value=$column->propname}
-            {assign var=value value=$member->$propname}
+            {assign var=value value=$member->$propname|escape}
 
-            {if $column->field_id eq 'pseudo_adh'}
+            {if $column->field_id eq 'nom_adh'}
+                {assign var="value" value=$member->sfullname}
+            {elseif $column->field_id eq 'pseudo_adh'}
                 {assign var="lrclass" value="$rclass nowrap"}
-                {assign var=value value=$member->$propname|htmlspecialchars}
+                {assign var=value value=$member->$propname|escape}
             {elseif $column->field_id eq 'tel_adh' or $column->field_id eq 'gsm_adh'}
                 {assign var="lrclass" value="$rclass nowrap"}
             {elseif $column->field_id eq 'id_statut'}

diff --git a/galette/templates/default/history.tpl b/galette/templates/default/history.tpl
@@ -26,7 +26,7 @@
             <select name="action_filter" id="action_filter">
                 <option value="0">{_T string="Select an action"}</option>
         {foreach from=$actions item=$action}
-                <option value="{$action}"{if $history->filters->action_filter eq $action} selected="selected"{/if}>{$action}</option>
+                <option value="{$action|escape}"{if $history->filters->action_filter eq $action} selected="selected"{/if}>{$action|escape}</option>
         {/foreach}
             </select>
     {/if}
@@ -126,9 +126,9 @@
                     <td class="nowrap" data-title="{_T string="Date"}">{$log.date_log|date_format:"%a %d/%m/%Y - %R"}</td>
                     <td class="nowrap" data-title="{_T string="IP"}">{$log.ip_log}</td>
                     <td data-title="{_T string="User"}">{$log.adh_log}</td>
-                    <td data-title="{_T string="Action"}">{$log.action_log}</td>
+                    <td data-title="{_T string="Action"}">{$log.action_log|escape}</td>
                     <td data-title="{_T string="Description"}">
-                        {$log.text_log}
+                        {$log.text_log|escape}
         {if $log.sql_log}
                         <span class="sql_log">{$log.sql_log|escape:"htmlall"}</span>
         {/if}

diff --git a/galette/templates/default/voir_adherent.tpl b/galette/templates/default/voir_adherent.tpl
@@ -93,7 +93,7 @@
             <li>
                 <a
                     href="{path_for name="duplicateMember" data=["id_adh" => $member->id]}"
-                    title="{_T string="Create a new member with %name information." pattern="/%name/" replace=$member->sname}"
+                    title="{_T string="Create a new member with %name information." pattern="/%name/" replace=$member->sfullname}"
                     class="button bigbutton tooltip"
                 >
                     <i class="fas fa-clone fa-fw fa-2x" aria-hidden="true"></i>
@@ -143,7 +143,7 @@ We have to use a template file, so Smarty will do its work (like replacing varia
         {assign var="value" value=$member->$propname|escape}
 
         {if $element->field_id eq 'nom_adh'}
-            {assign var="value" value=$member->sfullname|escape}
+            {assign var="value" value=$member->sfullname}
         {elseif $element->field_id eq 'pref_lang'}
             {assign var="value" value=$pref_lang}
         {elseif $element->field_id eq 'adresse_adh'}