From 1d85653ab00b534e63aacc1190896edd1577558e Mon Sep 17 00:00:00 2001 From: mp3butcher Date: Wed, 29 Nov 2023 04:28:32 +0100 Subject: [PATCH] guard createhtmlspecialchars --- legacy/application/common/FileDataHelper.php | 14 +++++++------- .../controllers/AudiopreviewController.php | 18 +++++++++++++++--- .../controllers/IndexController.php | 12 ++++++++++-- .../controllers/ScheduleController.php | 2 +- legacy/application/models/Block.php | 4 ++-- legacy/application/models/Playlist.php | 8 ++------ legacy/application/models/ShowBuilder.php | 16 ++++------------ .../services/PodcastEpisodeService.php | 3 ++- legacy/application/services/PodcastService.php | 14 +++++++------- 9 files changed, 50 insertions(+), 41 deletions(-) diff --git a/legacy/application/common/FileDataHelper.php b/legacy/application/common/FileDataHelper.php index d930d79588..8442bc58e2 100644 --- a/legacy/application/common/FileDataHelper.php +++ b/legacy/application/common/FileDataHelper.php @@ -367,15 +367,15 @@ public static function resizeGroup($file, $ext) public static function renderImage($file) { if ($file && file_exists($file)) { - $im = @imagecreatefromjpeg($file); + $im = @imagecreatefromjpeg($file); - $img = $im; + $img = $im; - if ($im) { - header('Content-Type: image/jpeg'); - imagejpeg($img); - imagedestroy($img); - } + if ($im) { + header('Content-Type: image/jpeg'); + imagejpeg($img); + imagedestroy($img); + } } } diff --git a/legacy/application/controllers/AudiopreviewController.php b/legacy/application/controllers/AudiopreviewController.php index 976e385ccb..63d9143b3f 100644 --- a/legacy/application/controllers/AudiopreviewController.php +++ b/legacy/application/controllers/AudiopreviewController.php @@ -50,13 +50,25 @@ public function audioPreviewAction() $media = Application_Model_StoredFile::RecallById($audioFileID); $uri = $baseUrl . 'api/get-media/file/' . $audioFileID; $mime = $media->getPropelOrm()->getDbMime(); - $this->view->audioFileArtist = htmlspecialchars($media->getPropelOrm()->getDbArtistName()); - $this->view->audioFileTitle = htmlspecialchars($media->getPropelOrm()->getDbTrackTitle()); + if ($media->getPropelOrm()->getDbArtistName()) { + $this->view->audioFileArtist = htmlspecialchars($media->getPropelOrm()->getDbArtistName()); + } else { + $this->view->audioFileArtist = ''; + } + if ($media->getPropelOrm()->getDbTrackTitle()) { + $this->view->audioFileTitle = htmlspecialchars($media->getPropelOrm()->getDbTrackTitle()); + } else { + $this->view->audioFileTitle = ''; + } } elseif ($type == 'stream') { $webstream = CcWebstreamQuery::create()->findPk($audioFileID); $uri = $webstream->getDbUrl(); $mime = $webstream->getDbMime(); - $this->view->audioFileTitle = htmlspecialchars($webstream->getDbName()); + if ($webstream->getDbName()) { + $this->view->audioFileTitle = htmlspecialchars($webstream->getDbName()); + } else { + $this->view->audioFileTitle = ''; + } } else { throw new Exception("Unknown type for audio preview!.Type={$type}"); } diff --git a/legacy/application/controllers/IndexController.php b/legacy/application/controllers/IndexController.php index 0347bd5938..913e4712d9 100644 --- a/legacy/application/controllers/IndexController.php +++ b/legacy/application/controllers/IndexController.php @@ -57,8 +57,16 @@ public function indexAction() $podcastEpisodesService = new Application_Service_PodcastEpisodeService(); $episodes = $podcastEpisodesService->getPodcastEpisodes($stationPodcastId, 0, 0, PodcastEpisodesPeer::PUBLICATION_DATE, 'DESC'); foreach ($episodes as $e => $v) { - $episodes[$e]['CcFiles']['track_title'] = htmlspecialchars($v['CcFiles']['track_title'], ENT_QUOTES); - $episodes[$e]['CcFiles']['artist_name'] = htmlspecialchars($v['CcFiles']['artist_name'], ENT_QUOTES); + if ($v['CcFiles']['track_title']) { + $episodes[$e]['CcFiles']['track_title'] = htmlspecialchars($v['CcFiles']['track_title'], ENT_QUOTES); + } else { + $episodes[$e]['CcFiles']['track_title'] = ''; + } + if ($v['CcFiles']['artist_name']) { + $episodes[$e]['CcFiles']['artist_name'] = htmlspecialchars($v['CcFiles']['artist_name'], ENT_QUOTES); + } else { + $episodes[$e]['CcFiles']['artist_name'] = ''; + } $pubDate = explode(' ', $v['publication_date']); $episodes[$e]['publication_date'] = $pubDate[0]; diff --git a/legacy/application/controllers/ScheduleController.php b/legacy/application/controllers/ScheduleController.php index 9a153fe900..668a4c3aaa 100644 --- a/legacy/application/controllers/ScheduleController.php +++ b/legacy/application/controllers/ScheduleController.php @@ -398,7 +398,7 @@ public function showContentDialogAction() $this->view->percentFilled = $show->getPercentScheduled(); $this->view->showContent = $show->getShowListContent(); $this->view->dialog = $this->view->render('schedule/show-content-dialog.phtml'); - $this->view->showTitle = htmlspecialchars($show->getName()); + $this->view->showTitle = $show->getName() ? htmlspecialchars($show->getName()) : ''; unset($this->view->showContent); } diff --git a/legacy/application/models/Block.php b/legacy/application/models/Block.php index b1e9545191..3f6ba974a0 100644 --- a/legacy/application/models/Block.php +++ b/legacy/application/models/Block.php @@ -268,8 +268,8 @@ public function getContents($filterFiles = false) $row['orig_length'] = $formatter->format(); // XSS exploit prevention - $row['track_title'] = htmlspecialchars($row['track_title']); - $row['creator'] = htmlspecialchars($row['creator']); + $row['track_title'] = $row['track_title'] ? htmlspecialchars($row['track_title']) : ''; + $row['creator'] = $row['creator'] ? htmlspecialchars($row['creator']) : ''; } return $rows; diff --git a/legacy/application/models/Playlist.php b/legacy/application/models/Playlist.php index 343a6ba862..e1d849fb0f 100644 --- a/legacy/application/models/Playlist.php +++ b/legacy/application/models/Playlist.php @@ -282,12 +282,8 @@ public function getContents($filterFiles = false) $row['orig_length'] = $formatter->format(); // XSS exploit prevention - if ($row['track_title']) { - $row['track_title'] = htmlspecialchars($row['track_title']); - } - if ($row['creator']) { - $row['creator'] = htmlspecialchars($row['creator']); - } + $row['track_title'] = $row['track_title'] ? htmlspecialchars($row['track_title']) : ''; + $row['creator'] = $row['creator'] ? htmlspecialchars($row['creator']) : ''; } return $rows; diff --git a/legacy/application/models/ShowBuilder.php b/legacy/application/models/ShowBuilder.php index 7ecba2149f..229e51c026 100644 --- a/legacy/application/models/ShowBuilder.php +++ b/legacy/application/models/ShowBuilder.php @@ -232,9 +232,7 @@ private function makeHeaderRow($p_item) $row['endDate'] = $showEndDT->format('Y-m-d'); $row['endTime'] = $showEndDT->format('H:i'); $row['duration'] = floatval($showEndDT->format('U.u')) - floatval($showStartDT->format('U.u')); - if ($p_item['show_name']) { - $row['title'] = htmlspecialchars($p_item['show_name']); - } + $row['title'] = $p_item['show_name'] ? htmlspecialchars($p_item['show_name']) : ''; $row['instance'] = intval($p_item['si_id']); $row['image'] = ''; @@ -285,15 +283,9 @@ private function makeScheduledItemRow($p_item) $formatter = new LengthFormatter(Application_Common_DateHelper::secondsToPlaylistTime($run_time)); $row['runtime'] = $formatter->format(); - if ($p_item['file_track_title']) { - $row['title'] = htmlspecialchars($p_item['file_track_title']); - } - if ($p_item['file_artist_name']) { - $row['creator'] = htmlspecialchars($p_item['file_artist_name']); - } - if ($p_item['file_album_title']) { - $row['album'] = htmlspecialchars($p_item['file_album_title']); - } + $row['title'] = $p_item['file_track_title'] ? htmlspecialchars($p_item['file_track_title']) : ''; + $row['creator'] = $p_item['file_artist_name'] ? htmlspecialchars($p_item['file_artist_name']) : ''; + $row['album'] = $p_item['file_album_title'] ? htmlspecialchars($p_item['file_album_title']) : ''; $row['cuein'] = $p_item['cue_in']; $row['cueout'] = $p_item['cue_out']; diff --git a/legacy/application/services/PodcastEpisodeService.php b/legacy/application/services/PodcastEpisodeService.php index cfc695fe8f..66c78bcbee 100644 --- a/legacy/application/services/PodcastEpisodeService.php +++ b/legacy/application/services/PodcastEpisodeService.php @@ -472,6 +472,7 @@ public function _getImportedPodcastEpisodeArray($podcast, $episodes) if (!empty($file) && $file['import_status'] == CcFiles::IMPORT_STATUS_PENDING) { $ingested = -1; } + $itemdesc = $item->get_description() ? $item->get_description() : ''; array_push($episodesArray, [ 'podcast_id' => $podcast->getDbId(), @@ -481,7 +482,7 @@ public function _getImportedPodcastEpisodeArray($podcast, $episodes) // From the RSS spec best practices: // 'An item's author element provides the e-mail address of the person who wrote the item' 'author' => $this->_buildAuthorString($item), - 'description' => htmlspecialchars($item->get_description()), + 'description' => htmlspecialchars($itemdesc), 'pub_date' => $item->get_gmdate(), 'link' => $url, 'enclosure' => $enclosure, diff --git a/legacy/application/services/PodcastService.php b/legacy/application/services/PodcastService.php index b0c3ab5167..966c700eb1 100644 --- a/legacy/application/services/PodcastService.php +++ b/legacy/application/services/PodcastService.php @@ -62,15 +62,15 @@ public static function createFromFeedUrl($feedUrl) $podcastArray = []; $podcastArray['url'] = $feedUrl; - $podcastArray['title'] = htmlspecialchars($rss->get_title()); - $podcastArray['description'] = htmlspecialchars($rss->get_description()); - $podcastArray['link'] = htmlspecialchars($rss->get_link()); - $podcastArray['language'] = htmlspecialchars($rss->get_language()); - $podcastArray['copyright'] = htmlspecialchars($rss->get_copyright()); + $podcastArray['title'] = $rss->get_title() ? htmlspecialchars($rss->get_title()) : ''; + $podcastArray['description'] = $rss->get_description() ? htmlspecialchars($rss->get_description()) : ''; + $podcastArray['link'] = $rss->get_link() ? htmlspecialchars($rss->get_link()) : ''; + $podcastArray['language'] = $rss->get_language() ? htmlspecialchars($rss->get_language()) : ''; + $podcastArray['copyright'] = $rss->get_copyright() ? htmlspecialchars($rss->get_copyright()) : ''; $author = $rss->get_author(); $name = empty($author) ? '' : $author->get_name(); - $podcastArray['creator'] = htmlspecialchars($name); + $podcastArray['creator'] = $name ? htmlspecialchars($name) : ''; $categories = []; if (is_array($rss->get_categories())) { @@ -432,7 +432,7 @@ public static function createStationRssFeed() $imageUrl = Config::getPublicUrl() . 'api/station-logo'; $image = $channel->addChild('image'); - $image->addChild('title', htmlspecialchars($podcast->getDbTitle())); + $image->addChild('title', htmlspecialchars($podcast->getDbTitle() ? $podcast->getDbTitle() : '')); self::addEscapedChild($image, 'url', $imageUrl); self::addEscapedChild($image, 'link', Config::getPublicUrl());