Skip to content
Permalink
Browse files
Added url check to transport agency model web field to prevent XSS at…
…tacks.

------
Añadida verificación de url al campo web del modelo de agencia de transporte para evitar ataques XSS.
  • Loading branch information
NeoRazorX committed May 10, 2022
1 parent cc8db28 commit 891ed74ea1ce1b1a71bda8e8c07621eb840548a1
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
@@ -91,6 +91,13 @@ public function test(): bool
$this->nombre = $utils->noHtml($this->nombre);
$this->telefono = $utils->noHtml($this->telefono);
$this->web = $utils->noHtml($this->web);

// check if the web is a valid url
if (!empty($this->web) && !filter_var($this->web, FILTER_VALIDATE_URL)) {
self::toolBox()::i18nLog()->error('invalid-web');
return false;
}

return parent::test();
}

@@ -52,6 +52,25 @@ public function testCreateWithNewCode()
$this->assertTrue($agency->delete(), 'agency-cant-delete');
}

public function testBadWeb()
{
$agency = new AgenciaTransporte();
$agency->codtrans = 'Test';
$agency->nombre = 'Test Agency';
$agency->web = 'javascript:alert(origin)';
$this->assertFalse($agency->save(), 'agency-can-save-bad-web');
}

public function testGoodWeb()
{
$agency = new AgenciaTransporte();
$agency->codtrans = 'Test';
$agency->nombre = 'Test Agency';
$agency->web = 'https://www.facturascripts.com';
$this->assertTrue($agency->save(), 'agency-cant-save-good-web');
$this->assertTrue($agency->delete(), 'agency-cant-delete');
}

protected function tearDown(): void
{
$this->logErrors();

0 comments on commit 891ed74

Please sign in to comment.