update

microweber · Jun 7, 2023 · 42efa98 · 42efa98
1 parent 21d5b03
commit 42efa98
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 43 deletions.
diff --git a/src/MicroweberPackages/Content/ContentManagerHelpers.php b/src/MicroweberPackages/Content/ContentManagerHelpers.php
@@ -659,6 +659,7 @@ public function save_from_live_edit($post_data)
         $ref_page_url = false;
         if (isset($_SERVER['HTTP_REFERER'])) {
             $ref_page_url = $_SERVER['HTTP_REFERER'];
+            $ref_page_url = xss_clean($ref_page_url);
         }
 
         if (isset($post_data['id']) and intval($post_data['id']) > 0) {

diff --git a/src/MicroweberPackages/Content/tests/ContentApiControllerLiveEditSaveTest.php b/src/MicroweberPackages/Content/tests/ContentApiControllerLiveEditSaveTest.php
@@ -2,9 +2,7 @@
 
 namespace MicroweberPackages\Content\tests;
 
-use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Auth;
-use MicroweberPackages\Category\Models\Category;
 use MicroweberPackages\Core\tests\TestCase;
 use MicroweberPackages\Helper\XSSClean;
 use MicroweberPackages\Multilanguage\MultilanguageHelpers;
@@ -64,14 +62,11 @@ public function testSaveContentOnPageLiveEditSingle()
 HTML;
 
 
-
-
         $pq = \phpQuery::newDocument($contentFieldHtml);
 
         $contentFieldHtml = $pq->htmlOuter();
 
 
-
         $fieldsData = [
             'field_data_0' => [
                 'attributes' => [
@@ -130,7 +125,6 @@ public function testSaveContentOnPageLiveEditFromBootstrapExamples()
         ]);
 
 
-
         $findPage = Page::whereId($newCleanMlPage)->first();
 
         $pageId = $findPage->id;
@@ -172,12 +166,12 @@ public function testSaveContentOnPageLiveEditFromBootstrapExamples()
 
 
             //remove empty tags
-           $html =  preg_replace('/<[^\/>]*>([\s]?)*<\/[^>]*>/', '', $html);
+            $html = preg_replace('/<[^\/>]*>([\s]?)*<\/[^>]*>/', '', $html);
 
             // remove script tags
             $html = preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $html);
 
-             // remove code tags
+            // remove code tags
             $html = preg_replace('/<code\b[^>]*>(.*?)<\/code>/is', "", $html);
 
 
@@ -201,8 +195,6 @@ public function testSaveContentOnPageLiveEditFromBootstrapExamples()
             ];
 
 
-
-
             $encoded = base64_encode(json_encode($fieldsData));
 
             $response = $this->call(
@@ -225,7 +217,6 @@ public function testSaveContentOnPageLiveEditFromBootstrapExamples()
             $this->assertEquals($fieldSaved[0]['field'], 'content');
 
 
-
             $pq2 = \phpQuery::newDocument($contentFieldHtml);
             $this->assertEquals($contentFieldHtml, $pq2->htmlOuter());
 
@@ -273,7 +264,6 @@ public function testSaveContentOnPageLiveEditXssList()
         $_SERVER['HTTP_REFERER'] = content_link($pageId);
 
 
-
         $zip = new \ZipArchive();
         $zip->open(__DIR__ . '/../../Helper/tests/misc/xss-test-files.zip');
         $xssList = $zip->getFromName('xss-payload-list.txt');
@@ -289,14 +279,13 @@ public function testSaveContentOnPageLiveEditXssList()
         foreach ($xssListChunks as $stringChunk) {
 
             $string = implode(PHP_EOL, $stringChunk);
-             if (empty(trim($string))) {
+            if (empty(trim($string))) {
                 continue;
             }
 
             $contentFieldHtml = $string;
 
 
-
             $fieldsData = [
                 'field_data_0' => [
                     'attributes' => [
@@ -333,7 +322,7 @@ public function testSaveContentOnPageLiveEditXssList()
             $contentFieldHtml1 = trim($contentFieldHtml);
             $contentFieldHtml2 = trim($findPage->content);
 
-           $this->assertNotEquals($contentFieldHtml1, $contentFieldHtml2);
+            $this->assertNotEquals($contentFieldHtml1, $contentFieldHtml2);
 
 
             foreach ($stringChunk as $stringItem) {
@@ -344,12 +333,10 @@ public function testSaveContentOnPageLiveEditXssList()
             }
 
 
-
         }
     }
 
 
-
     public function testSaveContentOnPageLiveEditFromOtherExamples()
     {
         $this->cleanupAndPrepare();
@@ -390,7 +377,7 @@ public function testSaveContentOnPageLiveEditFromOtherExamples()
                 $ext = get_file_extension($fn);
                 if ($ext == 'html') {
                     $string = $zip->getFromName($fn);
-                    if(trim($string) == ''){
+                    if (trim($string) == '') {
                         continue;
                     }
                     $htmls[$fn] = $string;
@@ -421,14 +408,13 @@ public function testSaveContentOnPageLiveEditFromOtherExamples()
         $htmlsChunks = array_chunk($htmls, 100);
 
 
+        foreach ($htmlsChunks as $k => $htmlChunk) {
 
-      foreach ($htmlsChunks as $k => $htmlChunk) {
-
-          $html = implode('--------chunk-------', $htmlChunk);
-         $contentFieldHtml = $html;
+            $html = implode('--------chunk-------', $htmlChunk);
+            $contentFieldHtml = $html;
 
 
-           // $contentFieldHtml = str_replace('{SITE_URL}', site_url(), $contentFieldHtml);
+            // $contentFieldHtml = str_replace('{SITE_URL}', site_url(), $contentFieldHtml);
             $fieldsData = [
                 'field_data_0' => [
                     'attributes' => [
@@ -462,7 +448,6 @@ public function testSaveContentOnPageLiveEditFromOtherExamples()
             $fieldSaved = $response->decodeResponseJson();
 
 
-
             $findPage = Page::whereId($fieldSaved[0]['id'])->first();
             $contentFieldHtml1 = trim($contentFieldHtml);
             $contentFieldHtml2 = trim($findPage->content);
@@ -471,13 +456,37 @@ public function testSaveContentOnPageLiveEditFromOtherExamples()
             $this->assertEquals($contentFieldHtml, $findPage->content);
 
 
-       }
+        }
+
+
+    }
+
+
+    public function testSaveContentXssSpaceInUrlAttribute()
+    {
+
+        $this->cleanupAndPrepare();
+        $unique = uniqid('testSaveContentXssInUrlAttribute');
+        $newCleanPage = save_content([
+            'subtype' => 'static',
+            'content_type' => 'page',
+            'layout_file' => 'clean.php',
+            'title' => 'testSaveContentXssInUrlAttribute-save' . $unique,
+            'preview_layout_file' => 'clean.php',
+            'url' => 'url with space ' . $unique . '  <script>alert(1)</script>',
+            'is_active' => 1,
+        ]);
+
+        $findPage = Page::whereId($newCleanPage)->first();
 
+        $this->assertEquals($findPage->url, 'url-with-space-' . strtolower($unique));
 
     }
 
 
-    private function cleanupAndPrepare(){
+
+    private function cleanupAndPrepare()
+    {
         $user = User::where('is_admin', '=', '1')->first();
         Auth::login($user);
         \Config::set('microweber.disable_model_cache', 1);
@@ -489,18 +498,17 @@ private function cleanupAndPrepare(){
 
     public static function fixLinksPrecentAttributes($text)
     {
-        $text = str_ireplace('{SITE_URL}','___mw-site-url-temp-replace-on-clean___', $text);
+        $text = str_ireplace('{SITE_URL}', '___mw-site-url-temp-replace-on-clean___', $text);
         $pq = \phpQuery::newDocument($text);
 
-        foreach($pq->find('a') as $stuffs)
-        {
+        foreach ($pq->find('a') as $stuffs) {
             $href = pq($stuffs)->attr('href');
-            if($href){
-            pq($stuffs)->attr('href', str_replace(' ', '%20', $href));
+            if ($href) {
+                pq($stuffs)->attr('href', str_replace(' ', '%20', $href));
             }
         }
         $text = $pq->htmlOuter();
-        $text = str_ireplace('___mw-site-url-temp-replace-on-clean___','{SITE_URL}',     $text);
+        $text = str_ireplace('___mw-site-url-temp-replace-on-clean___', '{SITE_URL}', $text);
         return $text;
 
     }

diff --git a/src/MicroweberPackages/Database/DatabaseManager.php b/src/MicroweberPackages/Database/DatabaseManager.php
@@ -668,16 +668,32 @@ public function save($table, $data = false, $data_to_save_options = false)
                     $criteria['id'] = $next_id;
                 }
             }
-            $id_to_return = $this->table($table_assoc_name)->insert($criteria);
+
+            if(method_exists($this->table($table),'create')){
+                $id_to_return = $this->table($table)->create($criteria);
+            } else {
+                $id_to_return = $this->table($table)->insert($criteria);
+            }
+             //$id_to_return = $this->table($table_assoc_name)->insert($criteria);
+         //   $id_to_return = $this->table($table_assoc_name)->create($criteria);
             $id_to_return = $this->last_id($table);
 
         } else {
+
             $insert_or_update = $highestId = $this->table($table)->where('id', $criteria['id'])->count();
             if ($insert_or_update != 0) {
                 $insert_or_update = 'update';
             } else {
-                $insert_or_update = 'insert';
+              $insert_or_update = 'insert';
+              if(method_exists($this->table($table),'create')){
+                    $insert_or_update = 'create';
+              }
+          //  $insert_or_update = 'create';
             }
+
+
+
+
             $id_to_return = $this->table($table_assoc_name)->where('id', $criteria['id'])->$insert_or_update($criteria);
             $id_to_return = $criteria['id'];
         }
@@ -965,8 +981,8 @@ public function table($table, $params = [])
             $this->use_model_cache[$table]= true;
 
             if ($table == 'content') {
-              //  $model = new Content($params);
-                 $model = app()->make(Content::class);
+                 $model = new Content($params);
+              //   $model = app()->make(Content::class);
 
                 //    $model::boot();
             } else if ($table == 'categories') {

diff --git a/src/MicroweberPackages/Module/Models/Module.php b/src/MicroweberPackages/Module/Models/Module.php
@@ -46,13 +46,15 @@ public function icon()
 
     public function getIconInline()
     {
-        $icon = str_replace( '{SITE_URL}', '', $this->icon);
-        if (get_file_extension($icon) == 'svg') {
-            $content =  file_get_contents($icon);
-            $content = str_replace('<?xml version="1.0" encoding="utf-8"?>', '', $content);
-            return $content;
-        } else {
-            return '<img src="' . $icon . '" />';
+        $icon = str_replace('{SITE_URL}', '', $this->icon);
+        if (file_exists($icon)) {
+            if (get_file_extension($icon) == 'svg') {
+                $content = file_get_contents($icon);
+                $content = str_replace('<?xml version="1.0" encoding="utf-8"?>', '', $content);
+                return $content;
+            } else {
+                return '<img src="' . $icon . '" />';
+            }
         }
     }