Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security improvements have been implemented - about html atributes es…
…caping and XSS-cleaning.
  • Loading branch information
ivantcholakov committed Sep 5, 2022
1 parent d7c8d57 commit 2606983
Show file tree
Hide file tree
Showing 7 changed files with 69 additions and 19 deletions.
11 changes: 8 additions & 3 deletions platform/applications/admin/core/Base_Controller.php
Expand Up @@ -14,10 +14,15 @@ public function __construct() {
$this->load->model('visual_themes');
$this->load->library('template');

$theme = (string) $this->input->get('theme');

if ($theme != '') {
$theme = (string) base64_decode($theme);
}

// Determine the current visual theme.
if ($this->input->get('theme') != '' && $this->input->method() == 'get' && !$this->input->is_ajax_request()) {
if ($theme != '' && $this->input->method() == 'get' && !$this->input->is_ajax_request()) {

$theme = (string) $this->input->get('theme');
$this->visual_themes->set_current($theme);

parse_str(parse_url(CURRENT_URL, PHP_URL_QUERY), $query);
Expand Down Expand Up @@ -121,7 +126,7 @@ protected function _check_access() {
redirect('login');
}

redirect(http_build_url(site_url('login'), array('query' => http_build_query(array('continue' => CURRENT_URL)))));
redirect(http_build_url(site_url('login'), array('query' => http_build_query(array('continue' => base64_encode(CURRENT_URL))))));
}

return true;
Expand Down
Expand Up @@ -46,11 +46,17 @@ public function index() {
// Implement your own login system.
if ($this->_login($username, $password)) {

if ($this->input->get('continue')) {
redirect($this->input->get('continue'));
$continue = (string) $this->input->get('continue');

if ($continue != '') {
$continue = (string) base64_decode($continue);
}

if ($continue != '' && strpos($continue, site_url()) === 0) {
redirect($continue);
}

$this->session->set_flashdata('confirmation_message', '<nobr>Hello, <strong>'.$username.'</strong>.</nobr>');
$this->session->set_flashdata('confirmation_message', '<nobr>Hello, <strong>'.html_escape($username).'</strong>.</nobr>');
redirect(site_url());

} else {
Expand Down
Expand Up @@ -30,7 +30,7 @@ public function index($display_type = null) {
foreach ($theme_switcher as $key => $value) {

$theme_switcher[$key]['label'] = $value['name'];
$theme_switcher[$key]['link'] = http_build_url(CURRENT_URL, array('query' => http_build_query(array('theme' => $value['key']))), HTTP_URL_JOIN_QUERY);
$theme_switcher[$key]['link'] = http_build_url(CURRENT_URL, array('query' => http_build_query(array('theme' => base64_encode($value['key'])))), HTTP_URL_JOIN_QUERY);

if ($value['key'] == $this->visual_themes->get_current()) {
$theme_switcher[$key]['active'] = true;
Expand Down
9 changes: 7 additions & 2 deletions platform/applications/front/core/Base_Controller.php
Expand Up @@ -11,10 +11,15 @@ public function __construct() {
->library('template')
;

$theme = (string) $this->input->get('theme');

if ($theme != '') {
$theme = (string) base64_decode($theme);
}

// Determine the current visual theme.
if ($this->input->get('theme') != '' && $this->input->method() == 'get' && !$this->input->is_ajax_request()) {
if ($theme != '' && $this->input->method() == 'get' && !$this->input->is_ajax_request()) {

$theme = (string) $this->input->get('theme');
$this->visual_themes->set_current($theme);

parse_str(parse_url(CURRENT_URL, PHP_URL_QUERY), $query);
Expand Down
Expand Up @@ -30,7 +30,7 @@ public function index($display_type = null) {
foreach ($theme_switcher as $key => $value) {

$theme_switcher[$key]['label'] = $value['name'];
$theme_switcher[$key]['link'] = http_build_url(CURRENT_URL, array('query' => http_build_query(array('theme' => $value['key']))), HTTP_URL_JOIN_QUERY);
$theme_switcher[$key]['link'] = http_build_url(CURRENT_URL, array('query' => http_build_query(array('theme' => base64_encode($value['key'])))), HTTP_URL_JOIN_QUERY);

if ($value['key'] == $this->visual_themes->get_current()) {
$theme_switcher[$key]['active'] = true;
Expand Down
16 changes: 14 additions & 2 deletions platform/common/core/Common.php
Expand Up @@ -493,7 +493,7 @@ function _stringify_attributes($attributes, $js = FALSE)
$atts = '';
foreach ($attributes as $key => $val)
{
$atts .= ($js) ? $key.'='.$val.',' : ' '.$key.'="'.$val.'"';
$atts .= ($js) ? $key.'='.$val.',' : ' '.get_instance()->security->xss_clean($key).'="'.html_attr_escape($val).'"';
}

return rtrim($atts, ',');
Expand Down Expand Up @@ -530,7 +530,19 @@ function html_attr($attributes, $return_as_array = false) {

$attr = new HTML_Attributes($attributes);

return $attr->getAttributes( ! $return_as_array);
if (!$return_as_array) {

$str = '';
$attributes = $attr->getAttributes(false);

foreach ($attributes as $key => $value) {
$str .= ' ' . get_instance()->security->xss_clean($key) . '="' . html_attr_escape($value) . '"';
}

return $str;
}

return $attr->getAttributes(false);
}

}
Expand Down
36 changes: 29 additions & 7 deletions platform/common/helpers/MY_form_helper.php
Expand Up @@ -189,13 +189,13 @@ function form_open($action = '', $attributes = array(), $hidden = array())
$attributes .= ' accept-charset="'.strtolower(config_item('charset')).'"';
}

$form = '<form action="'.$action.'"'.$attributes.">\n";
$form = '<form action="'.html_attr_escape(get_instance()->security->xss_clean($action)).'"'.$attributes.">\n";

if (is_array($hidden))
{
foreach ($hidden as $name => $value)
{
$form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value).'" />'."\n";
$form .= '<input type="hidden" name="'.html_attr_escape($name).'" value="'.form_prep($value).'" />'."\n";
}
}

Expand Down Expand Up @@ -359,7 +359,7 @@ function form_hidden($name, $value = '', $recursing = FALSE)

if ( ! is_array($value))
{
$form .= '<input type="hidden" name="'.$name.'" value="'.form_prep($value)."\" />\n";
$form .= '<input type="hidden" name="'.html_attr_escape($name).'" value="'.form_prep($value)."\" />\n";
}
else
{
Expand Down Expand Up @@ -480,7 +480,7 @@ function form_dropdown($data = '', $options = array(), $selected = array(), $ext
continue;
}

$form .= '<optgroup label="'.$key."\">\n";
$form .= '<optgroup label="'.html_attr_escape($key)."\">\n";

foreach ($val as $optgroup_key => $optgroup_val)
{
Expand Down Expand Up @@ -614,14 +614,16 @@ function _parse_form_attributes($attributes, $default)
{
if ($key === 'value')
{
$val = form_prep($val);
$att .= get_instance()->security->xss_clean($key).'="'.form_prep($val).'" ';
}
elseif ($key === 'name' && ! strlen($default['name']))
{
continue;
}

$att .= $key.'="'.$val.'" ';
else
{
$att .= get_instance()->security->xss_clean($key).'="'.html_attr_escape($val).'" ';
}
}

return $att;
Expand All @@ -630,3 +632,23 @@ function _parse_form_attributes($attributes, $default)

// ------------------------------------------------------------------------
// End BC functions


// Added by Ivan Tcholakov, 05-SEP-2022.
if ( ! function_exists('_attributes_to_string'))
{
function _attributes_to_string($attributes)
{
if (empty($attributes))
{
return '';
}

if (is_array($attributes) || is_string($attributes) || is_object($attributes))
{
return html_attr($attributes, false);
}

return FALSE;
}
}

0 comments on commit 2606983

Please sign in to comment.