Proper output sanitizing

intelliants · Feb 20, 2017 · d5c6e51 · d5c6e51
1 parent 619c55f
commit d5c6e51
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 22 deletions.
diff --git a/includes/classes/ia.core.smarty.php b/includes/classes/ia.core.smarty.php
@@ -1118,7 +1118,7 @@ public static function ia_print_title($params)
 		$suffix = iaCore::instance()->get('suffix');
 		$title = empty($params['title']) ? iaCore::instance()->iaView->get('title') : $params['title'];
 
-		return $title . ' ' . $suffix;
+		return iaSanitize::html($title . ' ' . $suffix);
 	}
 
 	public static function displayTreeNodes(array $params)

diff --git a/includes/classes/ia.core.view.php b/includes/classes/ia.core.view.php
@@ -205,6 +205,7 @@ public function title($title = null)
 		{
 			return $this->get('title');
 		}
+
 		$this->set('title', $title);
 	}
 

diff --git a/modules/blog/admin/index.php b/modules/blog/admin/index.php
@@ -97,19 +97,25 @@ protected function _preSaveEntry(array &$entry, array $data, $action)
 
 		iaUtil::loadUTF8Functions('ascii', 'validation', 'bad', 'utf8_to_ascii');
 
+		$entry['body'] = iaUtil::safeHTML($entry['body']);
+
 		if (!utf8_is_valid($entry['title']))
 		{
 			$entry['title'] = utf8_bad_replace($entry['title']);
 		}
-		if (empty($entry['title']))
-		{
-			$this->addMessage('title_is_empty');
-		}
 
 		if (!utf8_is_valid($entry['body']))
 		{
 			$entry['body'] = utf8_bad_replace($entry['body']);
 		}
+
+		$entry['alias'] = $this->getHelper()->titleAlias(empty($entry['alias']) ? $entry['title'] : $entry['alias']);
+
+		if (empty($entry['title']))
+		{
+			$this->addMessage('title_is_empty');
+		}
+
 		if (empty($entry['body']))
 		{
 			$this->addMessage(iaLanguage::getf('field_is_empty', ['field' => iaLanguage::get('body')]), false);
@@ -120,8 +126,6 @@ protected function _preSaveEntry(array &$entry, array $data, $action)
 			$entry['date_added'] = date(iaDb::DATETIME_FORMAT);
 		}
 
-		$entry['alias'] = $this->getHelper()->titleAlias(empty($entry['alias']) ? $entry['title'] : $entry['alias']);
-
 		if ($this->getMessages())
 		{
 			return false;

diff --git a/modules/blog/index.php b/modules/blog/index.php
@@ -213,13 +213,12 @@
 					return iaView::errorPage(iaView::ERROR_NOT_FOUND);
 				}
 
-				$title = iaSanitize::tags($entry['title']);
-				iaBreadcrumb::toEnd($title);
-				$iaView->title($title);
+				iaBreadcrumb::toEnd($entry['title']);
+				$iaView->title($entry['title']);
 
 				// add open graph data
 				$openGraph = [
-					'title' => $title,
+					'title' => $entry['title'],
 					'url' => IA_SELF,
 					'description' => $entry['body']
 				];

diff --git a/templates/_common/breadcrumb.tpl b/templates/_common/breadcrumb.tpl
@@ -5,18 +5,18 @@
 				{foreach $core.page.breadcrumb as $entry}
 					{if $entry.url && !$entry@last}
 						<li typeof="v:Breadcrumb">
-							<a href="{$entry.url}"{if isset($entry.no_follow) && $entry.no_follow} rel="nofollow"{/if} rel="v:url" property="v:title">{$entry.caption}</a>
+							<a href="{$entry.url}"{if isset($entry.no_follow) && $entry.no_follow} rel="nofollow"{/if} rel="v:url" property="v:title">{$entry.caption|escape:'html'}</a>
 						</li>
 					{else}
-						<li class="active">{$entry.caption}</li>
+						<li class="active">{$entry.caption|escape:'html'}</li>
 					{/if}
 				{/foreach}
 			</ol>
 
 			{if isset($core.page.info.actions)}
 				<div class="action-buttons">
 					{section action $core.page.info.actions max=2}
-						<a href="{$core.page.info.actions[action].url}" class="btn btn-xs {if isset($core.page.info.actions[action].classes)} {$core.page.info.actions[action].classes}{else}btn-success{/if}"><span class="fa fa-{$core.page.info.actions[action].icon}"></span> {$core.page.info.actions[action].title}</a> 
+						<a href="{$core.page.info.actions[action].url}" class="btn btn-xs {if isset($core.page.info.actions[action].classes)} {$core.page.info.actions[action].classes}{else}btn-success{/if}"><span class="fa fa-{$core.page.info.actions[action].icon}"></span> {$core.page.info.actions[action].title|escape:'html'}</a>
 					{/section}
 
 					{if count($core.page.info.actions) > 2}
@@ -29,7 +29,7 @@
 									<li class="divider"></li>
 								{/if}
 								<li>
-									<a href="{$core.page.info.actions[action].url}"{if isset($core.page.info.actions[action].classes)} class="{$core.page.info.actions[action].classes}{/if}"><i class="{$core.page.info.actions[action].icon}"></i> {$core.page.info.actions[action].title}</a>
+									<a href="{$core.page.info.actions[action].url}"{if isset($core.page.info.actions[action].classes)} class="{$core.page.info.actions[action].classes}{/if}"><i class="{$core.page.info.actions[action].icon}"></i> {$core.page.info.actions[action].title|escape:'html'}</a>
 								</li>
 							{/section}
 						</ul>

diff --git a/templates/kickstart/breadcrumb.tpl b/templates/kickstart/breadcrumb.tpl
@@ -5,18 +5,18 @@
 				{foreach $core.page.breadcrumb as $entry}
 					{if $entry.url && !$entry@last}
 						<li typeof="v:Breadcrumb">
-							<a href="{$entry.url}"{if isset($entry.no_follow) && $entry.no_follow} rel="nofollow"{/if} rel="v:url" property="v:title">{$entry.caption}</a>
+							<a href="{$entry.url}"{if isset($entry.no_follow) && $entry.no_follow} rel="nofollow"{/if} rel="v:url" property="v:title">{$entry.caption|escape:'html'}</a>
 						</li>
 					{else}
-						<li class="active">{$entry.caption}</li>
+						<li class="active">{$entry.caption|escape:'html'}</li>
 					{/if}
 				{/foreach}
 			</ol>
 
 			{if isset($core.page.info.actions)}
 				<div class="action-buttons">
 					{section action $core.page.info.actions max=2}
-						<a href="{$core.page.info.actions[action].url}" class="btn btn-xs {if isset($core.page.info.actions[action].classes)} {$core.page.info.actions[action].classes}{else}btn-success{/if}"><span class="fa fa-{$core.page.info.actions[action].icon}"></span> {$core.page.info.actions[action].title}</a> 
+						<a href="{$core.page.info.actions[action].url}" class="btn btn-xs {if isset($core.page.info.actions[action].classes)} {$core.page.info.actions[action].classes}{else}btn-success{/if}"><span class="fa fa-{$core.page.info.actions[action].icon}"></span> {$core.page.info.actions[action].title|escape:'html'}</a>
 					{/section}
 
 					{if count($core.page.info.actions) > 2}
@@ -29,7 +29,7 @@
 									<li class="divider"></li>
 								{/if}
 								<li>
-									<a href="{$core.page.info.actions[action].url}"><i class="fa fa-{$core.page.info.actions[action].icon}"></i> {$core.page.info.actions[action].title}</a>
+									<a href="{$core.page.info.actions[action].url}"><i class="fa fa-{$core.page.info.actions[action].icon}"></i> {$core.page.info.actions[action].title|escape:'html'}</a>
 								</li>
 							{/section}
 						</ul>

diff --git a/templates/kickstart/layout.tpl b/templates/kickstart/layout.tpl
@@ -180,14 +180,14 @@
 					{if in_array($core.page.name, array('login', 'member_registration'))}
 						<div class="page-system">
 							<div class="content__header">
-								<h1>{$core.page.title}</h1>
+								<h1>{$core.page.title|escape:'html'}</h1>
 								<ul class="content__actions">
 									{foreach $core.actions as $name => $action}
 										<li>
 											{if 'action-favorites' == $name}
 												{printFavorites item=$item itemtype=$item.item guests=true}
 											{else}
-												<a data-toggle="tooltip" title="{$action.title}" {foreach $action.attributes as $key => $value}{$key}="{$value}" {/foreach}>
+												<a data-toggle="tooltip" title="{$action.title|escape:'html'}" {foreach $action.attributes as $key => $value}{$key}="{$value}" {/foreach}>
 													<span class="fa fa-{$name}"></span>
 												</a>
 											{/if}
@@ -218,7 +218,7 @@
 									{ia_blocks block='top'}
 
 									<div class="content__header">
-										<h1>{$core.page.title}</h1>
+										<h1>{$core.page.title|escape:'html'}</h1>
 										<ul class="content__actions">
 											{foreach $core.actions as $name => $action}
 												<li>