3.0.9

Fix xss in user profile form

includes/js/functions.js

@@ -403,12 +403,27 @@ function fieldSanitizeStep1(
     }
     let string = '';
     text = (text === '') ? $(field).val() : text;
-
+/*
+    // Sanitize string
+    var tagsToReplace = {
+        '&': '&',
+        '<': '&lt;',
+        '>': '&gt;',
+        "'" : '&#39;',
+        '"' : '&quot;'
+    };
+    text = text.replace(/[&<>'"]/g, function(tag) {
+        return tagsToReplace[tag] || tag;
+    });
+    */
     // Purify string
     string = DOMPurify.sanitize(
         text
             .replaceAll('&lt;', '<')
-            .replaceAll('&gt;', '>'),
+            .replaceAll('&gt;', '>')
+            .replaceAll('&amp;', '&')
+            .replaceAll('&quot;', '"')
+            .replaceAll('&#39;', "'"),
         {USE_PROFILES: {html:bHtml, svg:bSvg, svgFilters: bSvgFilters}}
     );
 

pages/profile.js.php

@@ -164,16 +164,36 @@ function(data) {
 
     // Save user settings
     $('#profile-user-save-settings').click(function() {
+        // Sanitize text fields
+        let formName = fieldSanitizeStep1('#profile-user-name', false, false, false),
+            formLastname = fieldSanitizeStep1('#profile-user-lastname', false, false, false),
+            formEmail = fieldSanitizeStep1('#profile-user-email', false, false, false);
+        if (formName === false || formLastname === false || formEmail === false) {
+            // Label is empty
+            toastr.remove();
+            toastr.warning(
+                'XSS attempt detected. Field has been emptied.',
+                'Error', {
+                    timeOut: 5000,
+                    progressBar: true
+                }
+            );
+            return false;
+        }
+
+        // Prepare data
         var data = {
-            'name': DOMPurify.sanitize($('#profile-user-name').val()),
-            'lastname': DOMPurify.sanitize($('#profile-user-lastname').val()),
-            'email': DOMPurify.sanitize($('#profile-user-email').val()),
+            'name': formName,
+            'lastname': formLastname,
+            'email': formEmail,
             'timezone': $('#profile-user-timezone').val(),
             'language': $('#profile-user-language').val().toLowerCase(),
             'treeloadstrategy': $('#profile-user-treeloadstrategy').val().toLowerCase(),
             'agsescardid': $('#profile-user-agsescardid').length > 0 ? $('#profile-user-agsescardid').val() : '',
         }
-        //console.log(data)
+        console.log(data);
+        //return false;
+        // " onmouseover="confirm(document.cookie)"
         // Inform user
         toastr.remove();
         toastr.info('<i class="fas fa-cog fa-spin fa-2x"></i>');

sources/main.functions.php

@@ -3539,10 +3539,16 @@ function dataSanitizer(
     require_once $path . '/includes/libraries/Elegant/sanitizer/Filters/EscapeHTML.php';
     require_once $path . '/includes/libraries/Elegant/sanitizer/Filters/EmptyStringToNull.php';
     require_once $path . '/includes/libraries/Elegant/sanitizer/Sanitizer.php';
+    $sanitizer = new Elegant\sanitizer\Sanitizer($data, $filters);
+
+    // Load AntiXSS
+    include_once $path. '/includes/libraries/anti-xss-master/src/voku/helper/ASCII.php';
+    include_once $path . '/includes/libraries/anti-xss-master/src/voku/helper/UTF8.php';
+    include_once $path . '/includes/libraries/anti-xss-master/src/voku/helper/AntiXSS.php';
+    $antiXss = new voku\helper\AntiXSS();
 
     // Sanitize post and get variables
-    $sanitizer = new Elegant\sanitizer\Sanitizer($data, $filters);
-    return $sanitizer->sanitize();
+    return $antiXss->xss_clean($sanitizer->sanitize());
 }
 
 /**