From 3bd1709a8f7b1720529bf5dfc9855ad609f436cf Mon Sep 17 00:00:00 2001
From: Atsushi Matsuo <famlog@gmail.com>
Date: Fri, 27 Aug 2021 23:21:27 +0900
Subject: [PATCH] Fix XSS in FMDataAPI_Sample.php

---
 samples/FMDataAPI_Sample.php | 106 +++++++++++++++++------------------
 1 file changed, 53 insertions(+), 53 deletions(-)

diff --git a/samples/FMDataAPI_Sample.php b/samples/FMDataAPI_Sample.php
index 107c3ee..3bf14f4 100644
--- a/samples/FMDataAPI_Sample.php
+++ b/samples/FMDataAPI_Sample.php
@@ -42,19 +42,19 @@
 
     // Metadata API is the new feature of FMS18.
     $pInfo = var_export($fmdb->getProductInfo(), true);
-    echo "Product Info: {$pInfo}<hr>";
+    echo htmlspecialchars("Product Info: {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
     $pInfo = var_export($fmdb->getDatabaseNames(), true);
-    echo "Database Names: {$pInfo}<hr>";
+    echo htmlspecialchars("Database Names: {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
     $pInfo = var_export($fmdb->getLayoutNames(), true);
-    echo "Layout Names: {$pInfo}<hr>";
+    echo htmlspecialchars("Layout Names: {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
     $pInfo = var_export($fmdb->getScriptNames(), true);
-    echo "Script Names: {$pInfo}<hr>";
+    echo htmlspecialchars("Script Names: {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
     $result = $fmdb->person_layout->getMetadata();
     $pInfo = var_export($result, true);
-    echo "Layout Metadata: {$pInfo}<hr>";
+    echo htmlspecialchars("Layout Metadata: {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
     $result = $fmdb->person_layout->getMetadataOld();
     $pInfo = var_export($result, true);
-    echo "Layout Metadata (Old): {$pInfo}<hr>";
+    echo htmlspecialchars("Layout Metadata (Old): {$pInfo}", ENT_QUOTES, "UTF-8") . "<hr>";
 
     // The FMDataAPI has the property as the same name of layout. This sample database has the 'person_layout' layout,
     // so '$fmdb->person_layout' refers FMLayout object fo the proxy of the layout. FMLayout class has the 'query' method
@@ -62,18 +62,18 @@
     $result = $fmdb->person_layout->query(/*array(array("id" => ">1"))*/);
 
     // The 'httpStatus()' method returns the HTTP status code in the latest response.
-    echo "HTTP Status: {$fmdb->httpStatus()}<hr>";
+    echo htmlspecialchars("HTTP Status: {$fmdb->httpStatus()}", ENT_QUOTES, "UTF-8") . "<hr>";
 
     // The following two methods return the error code and message of the latest API call which is submitted in query() method.
     // You can check API calling succeed or fail if error code is or isn't 0 every after API calling methods.
-    echo "Error Code: {$fmdb->errorCode()}<hr>";
-    echo "Error Message: {$fmdb->errorMessage()}<hr>";
+    echo htmlspecialchars("Error Code: {$fmdb->errorCode()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Error Message: {$fmdb->errorMessage()}", ENT_QUOTES, "UTF-8") . "<hr>";
 
     // If the query is succeed, the following information can be detected.
-    echo "Target Table: {$fmdb->getTargetTable()}<hr>";
-    echo "Total Count: {$fmdb->getTotalCount()}<hr>";
-    echo "Found Count: {$fmdb->getFoundCount()}<hr>";
-    echo "Returned Count: {$fmdb->getReturnedCount()}<hr>";
+    echo htmlspecialchars("Target Table: {$fmdb->getTargetTable()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Total Count: {$fmdb->getTotalCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Found Count: {$fmdb->getFoundCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Returned Count: {$fmdb->getReturnedCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
 
     // The FileMakerRelation class implements the Iterator interface and it can repeat with 'foreach.'
     // The $record also refers a FileMakerRelation object but it is for single record.
@@ -81,14 +81,14 @@
     // as a property name of the the record referring with $record.
     if (!is_null($result)) {
         // If the query is succeed, the following information can be detected.
-        echo "Target Table: {$result->getTargetTable()}<hr>";
-        echo "Total Count: {$result->getTotalCount()}<hr>";
-        echo "Found Count: {$result->getFoundCount()}<hr>";
-        echo "Returned Count: {$result->getReturnedCount()}<hr>";
+        echo htmlspecialchars("Target Table: {$result->getTargetTable()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Total Count: {$result->getTotalCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Found Count: {$result->getFoundCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Returned Count: {$result->getReturnedCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
         foreach ($result as $record) {
-            echo "id: {$record->id},";
-            echo "name: {$record->name},";
-            echo "mail: {$record->mail}<hr>";
+            echo htmlspecialchars("id: {$record->id},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("name: {$record->name},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("mail: {$record->mail}", ENT_QUOTES, "UTF-8") . "<hr>";
             // If you named field name as not variable friendly, you can use field('field_name') method or
             // set the name to any variable such as $fname = 'field_name'; echo $record->$fname;.
 
@@ -96,13 +96,13 @@
             // echo $record->field("summary", "contact_to");
 
             // A portal name property returns records of portal as FileMakerRelation object.
-            $contacts = $record->contact_to;
+            $contacts = $record->Contact;
 
             // If the query is succeed, the following information can be detected.
-            echo "Target Table: {$contacts->getTargetTable()}<hr>";
-            echo "Total Count: {$contacts->getTotalCount()}<hr>";
-            echo "Found Count: {$contacts->getFoundCount()}<hr>";
-            echo "Returned Count: {$contacts->getReturnedCount()}<hr>";
+            echo htmlspecialchars("Target Table: {$contacts->getTargetTable()}", ENT_QUOTES, "UTF-8") . "<hr>";
+            echo htmlspecialchars("Total Count: {$contacts->getTotalCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+            echo htmlspecialchars("Found Count: {$contacts->getFoundCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+            echo htmlspecialchars("Returned Count: {$contacts->getReturnedCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
 
             // You can repeat with foreach for the portal records.
             foreach ($contacts as $item) {
@@ -110,8 +110,8 @@
                 // In this case you can call field method as like 'field("summary", "contact_to").'
                 // If the field belongs to the table occurrence for the portal, you can refer the field as like '$item->id.'
                 // If the field belongs to another table occurrence, you have to call the 'field()' method.
-                echo "[PORTAL(contact_to)] id: {$item->field("id", "contact_to")},";
-                echo "summary: {$item->field("summary", "contact_to")}<hr>";
+                echo htmlspecialchars("[PORTAL(contact_to)] id: {$item->field("id", "contact_to")},", ENT_QUOTES, "UTF-8");
+                echo htmlspecialchars("summary: {$item->field("summary", "contact_to")}", ENT_QUOTES, "UTF-8") . "<hr>";
                 // If the object name of the portal is blank, it can be referred as the table occurrence name.
                 // If the object name is specified, you have to access with the object name and it means you have to
                 // call 'field()' method to get the value.
@@ -127,14 +127,14 @@
         // record and you can get the field value with the propaty having the same field name.
         // The portal can be done with same way. The 'next()' method steps forward the pointer of current record.
         for ($i = 0; $i < $result->count(); $i++) {
-            echo "id: {$result->id},";
-            echo "name: {$result->name},";
-            echo "mail: {$result->mail}<hr>";
-            $contacts = $result->contact_to;
+            echo htmlspecialchars("id: {$result->id},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("name: {$result->name},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("mail: {$result->mail}", ENT_QUOTES, "UTF-8") . "<hr>";
+            $contacts = $result->Contact;
 
             for ($j = 0; $j < $contacts->count(); $j++) {
-                echo "[PORTAL(contact_to)] id: {$contacts->field("id", "contact_to")},";
-                echo "summary: {$contacts->field("summary", "contact_to")}<hr>";
+                echo htmlspecialchars("[PORTAL(contact_to)] id: {$contacts->field("id", "contact_to")},", ENT_QUOTES, "UTF-8");
+                echo htmlspecialchars("summary: {$contacts->field("summary", "contact_to")}", ENT_QUOTES, "UTF-8") . "<hr>";
                 $contacts->next();
             }
             $result->next();
@@ -149,9 +149,9 @@
     $result = $fmdb->postalcode->getRecord($recId);
     if (!is_null($result)) {
         foreach ($result as $record) {
-            echo "f3: {$record->f3},";
-            echo "f7: {$record->f7},";
-            echo "f8: {$record->f8}<hr>";
+            echo htmlspecialchars("f3: {$record->f3},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("f7: {$record->f7},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("f8: {$record->f8}", ENT_QUOTES, "UTF-8") . "<hr>";
             echo "<hr>";
         }
     }
@@ -162,9 +162,9 @@
     $result = $fmdb->postalcode->getRecord($recId);
     if (!is_null($result)) {
         foreach ($result as $record) {
-            echo "f3: {$record->f3},";
-            echo "f7: {$record->f7},";
-            echo "f8: {$record->f8}<hr>";
+            echo htmlspecialchars("f3: {$record->f3},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("f7: {$record->f7},", ENT_QUOTES, "UTF-8");
+            echo htmlspecialchars("f8: {$record->f8}", ENT_QUOTES, "UTF-8") . "<hr>";
             echo "<hr>";
         }
     }
@@ -174,23 +174,23 @@
     // Call script
     $result = $fmdb->person_layout->query(null, null, -1, 1, null, ["script" => "TestScript", "script.param" => "ok"]);
     if (!is_null($result)) {
-        echo "Script Error: {$fmdb->person_layout->getScriptError()}<hr>";
-        echo "Script Result: {$fmdb->person_layout->getScriptResult()}<hr>";
+        echo htmlspecialchars("Script Error: {$fmdb->person_layout->getScriptError()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Script Result: {$fmdb->person_layout->getScriptResult()}", ENT_QUOTES, "UTF-8") . "<hr>";
     }
     $result = $fmdb->person_layout->query(null, null, -1, 1, null, ["script.prerequest" => "TestScript", "script.prerequest.param" => "ok"]);
     if (!is_null($result)) {
-        echo "Script Error: {$fmdb->person_layout->getScriptErrorPrerequest()}<hr>";
-        echo "Script Result: {$fmdb->person_layout->getScriptResultPrerequest()}<hr>";
+        echo htmlspecialchars("Script Error: {$fmdb->person_layout->getScriptErrorPrerequest()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Script Result: {$fmdb->person_layout->getScriptResultPrerequest()}", ENT_QUOTES, "UTF-8") . "<hr>";
     }
     $result = $fmdb->person_layout->query(null, null, -1, 1, null, ["script" => "TestScript", "script.param" => "not"]);
     if (!is_null($result)) {
-        echo "Script Error: {$fmdb->person_layout->getScriptError()}<hr>";
-        echo "Script Result: {$fmdb->person_layout->getScriptResult()}<hr>";
+        echo htmlspecialchars("Script Error: {$fmdb->person_layout->getScriptError()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Script Result: {$fmdb->person_layout->getScriptResult()}", ENT_QUOTES, "UTF-8") . "<hr>";
     }
     $result = $fmdb->person_layout->query(null, null, -1, 1);
     if (!is_null($result)) {
-        echo "Script Error: {$fmdb->person_layout->getScriptError()}<hr>";
-        echo "Script Result: {$fmdb->person_layout->getScriptResult()}<hr>";
+        echo htmlspecialchars("Script Error: {$fmdb->person_layout->getScriptError()}", ENT_QUOTES, "UTF-8") . "<hr>";
+        echo htmlspecialchars("Script Result: {$fmdb->person_layout->getScriptResult()}", ENT_QUOTES, "UTF-8") . "<hr>";
     }
 
     // A new record is created in "testtable" table.
@@ -203,14 +203,14 @@
     // https://localhost/Streaming_SSL/MainDB/6A4A253F7CE33465DCDFBFF0704B34C0993D54AD85702396920E85249BD0271A.jpg?RCType=EmbeddedRCFileProcessor
     // This url can get the content of the container field, and it means you can download with file_put_content() function and so on.
     $result = $fmdb->testtable->getRecord($recId);
-    echo "Target Table(getRecord): {$result->getTargetTable()}<hr>";
-    echo "Total Count(getRecord): {$result->getTotalCount()}<hr>";
-    echo "Found Count(getRecord): {$result->getFoundCount()}<hr>";
-    echo "Returned Count(getRecord): {$result->getReturnedCount()}<hr>";
+    echo htmlspecialchars("Target Table(getRecord): {$result->getTargetTable()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Total Count(getRecord): {$result->getTotalCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Found Count(getRecord): {$result->getFoundCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
+    echo htmlspecialchars("Returned Count(getRecord): {$result->getReturnedCount()}", ENT_QUOTES, "UTF-8") . "<hr>";
 
     if (!is_null($result)) {
         foreach ($result as $record) {
-            echo "vc1: {$record->vc1}<hr>";
+            echo htmlspecialchars("vc1: {$record->vc1}", ENT_QUOTES, "UTF-8") . "<hr>";
             echo "<p><img src='data:image/jpeg;base64," . $record->getContainerData('vc1') . "'></p>";
         }
     }
@@ -266,5 +266,5 @@
         }
     }
 } catch (Exception $e) {
-    echo '<div><h3>例外発生</h3>', $e->getMessage(), "<div>";
+    echo '<div><h3>例外発生</h3>', htmlspecialchars($e->getMessage(), ENT_QUOTES, "UTF-8"), "<div>";
 }