From bacf3e4f8f635ad3e9b727b91bee22baf1c4ee12 Mon Sep 17 00:00:00 2001
From: Peter Rotich <peter@osticket.com>
Date: Mon, 29 Feb 2016 04:07:53 +0000
Subject: [PATCH] forms: TextboxField cleanup
Strip tags on text input field to prevent potential XSS exploit.
---
include/class.category.php | 8 ++++----
include/class.dynamic_forms.php | 2 --
include/class.forms.php | 4 ++++
include/class.organization.php | 1 +
include/class.team.php | 1 +
include/client/open.inc.php | 3 ++-
6 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/include/class.category.php b/include/class.category.php
index 5f67c6ee5..e890b079e 100644
--- a/include/class.category.php
+++ b/include/class.category.php
@@ -30,7 +30,7 @@ class Category {
.' WHERE cat.category_id='.db_input($id)
.' GROUP BY cat.category_id';
- if (!($res=db_query($sql)) || !db_num_rows($res))
+ if (!($res=db_query($sql)) || !db_num_rows($res))
return false;
$this->ht = db_fetch_array($res);
@@ -54,14 +54,14 @@ class Category {
function isPublic() { return ($this->ht['ispublic']); }
function getHashtable() { return $this->ht; }
-
+
/* ------------------> Setter methods <--------------------- */
function setName($name) { $this->ht['name']=$name; }
function setNotes($notes) { $this->ht['notes']=$notes; }
function setDescription($desc) { $this->ht['description']=$desc; }
/* --------------> Database access methods <---------------- */
- function update($vars, &$errors) {
+ function update($vars, &$errors) {
if(!$this->save($this->getId(), $vars, $errors))
return false;
@@ -81,7 +81,7 @@ class Category {
if(db_query($sql) && ($num=db_affected_rows())) {
db_query('DELETE FROM '.FAQ_TABLE
.' WHERE category_id='.db_input($this->getId()));
-
+
}
return $num;
diff --git a/include/class.dynamic_forms.php b/include/class.dynamic_forms.php
index 26e93d7fd..84080172d 100644
--- a/include/class.dynamic_forms.php
+++ b/include/class.dynamic_forms.php
@@ -153,8 +153,6 @@ class DynamicForm extends VerySimpleModel {
function save($refetch=false) {
if (count($this->dirty))
$this->set('updated', new SqlFunction('NOW'));
- if (isset($this->dirty['notes']))
- $this->notes = Format::sanitize($this->notes);
return parent::save($refetch);
}
diff --git a/include/class.forms.php b/include/class.forms.php
index b2c1aed1c..6d5e9cf63 100644
--- a/include/class.forms.php
+++ b/include/class.forms.php
@@ -747,6 +747,10 @@ class TextboxField extends FormField {
if (!call_user_func($func[0], $value))
$this->_errors[] = $error;
}
+
+ function parse($value) {
+ return Format::striptags($value);
+ }
}
class PasswordField extends TextboxField {
diff --git a/include/class.organization.php b/include/class.organization.php
index f2c092d9d..9e5bedb75 100644
--- a/include/class.organization.php
+++ b/include/class.organization.php
@@ -356,6 +356,7 @@ class Organization extends OrganizationModel {
static function fromVars($vars) {
+ $vars['name'] = Format::striptags($vars['name']);
if (!($org = Organization::lookup(array('name' => $vars['name'])))) {
$org = Organization::create(array(
'name' => $vars['name'],
diff --git a/include/class.team.php b/include/class.team.php
index 11670c853..1ae093c94 100644
--- a/include/class.team.php
+++ b/include/class.team.php
@@ -232,6 +232,7 @@ class Team {
if($id && $vars['id']!=$id)
$errors['err']=__('Missing or invalid team');
+ $vars['name'] = Format::striptags($vars['name']);
if(!$vars['name']) {
$errors['name']=__('Team name is required');
} elseif(strlen($vars['name'])<3) {
diff --git a/include/client/open.inc.php b/include/client/open.inc.php
index ea0a100e7..5bd45eed8 100644
--- a/include/client/open.inc.php
+++ b/include/client/open.inc.php
@@ -72,7 +72,8 @@ if ($info['topicId'] && ($topic=Topic::lookup($info['topicId']))) {
else { ?>
<tr><td colspan="2"><hr /></td></tr>
<tr><td><?php echo __('Email'); ?>:</td><td><?php echo $thisclient->getEmail(); ?></td></tr>
- <tr><td><?php echo __('Client'); ?>:</td><td><?php echo $thisclient->getName(); ?></td></tr>
+ <tr><td><?php echo __('Client'); ?>:</td><td><?php echo
+ Format::htmlchars($thisclient->getName()); ?></td></tr>
<?php } ?>
</tbody>
<tbody id="dynamic-form">
--
GitLab