Ivan - Add XSS protection backend [skip ci]
This commit is contained in:
ivan
parent
f175669dc0
commit
3de5196dd5
|
|
@ -5,7 +5,8 @@
|
|||
"phpmailer/phpmailer": "^5.2",
|
||||
"google/recaptcha": "~1.1",
|
||||
"gabordemooij/redbean": "^4.3",
|
||||
"ifsnop/mysqldump-php": "2.*"
|
||||
"ifsnop/mysqldump-php": "2.*",
|
||||
"ezyang/htmlpurifier": "^4.8"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "5.0.*"
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ class AddArticleController extends Controller {
|
|||
$article = new Article();
|
||||
$article->setProperties([
|
||||
'title' => Controller::request('title'),
|
||||
'content' => Controller::request('content'),
|
||||
'content' => Controller::request('content', true),
|
||||
'lastEdited' => Date::getCurrentDate(),
|
||||
'position' => Controller::request('position') || 1
|
||||
]);
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ class EditArticleController extends Controller {
|
|||
}
|
||||
|
||||
if(Controller::request('content')) {
|
||||
$article->content = Controller::request('content');
|
||||
$article->content = Controller::request('content', true);
|
||||
}
|
||||
|
||||
if(Controller::request('title')) {
|
||||
|
|
|
|||
|
|
@ -32,8 +32,8 @@ class EditMailTemplateController extends Controller {
|
|||
public function handler() {
|
||||
$language = Controller::request('language');
|
||||
$templateType = Controller::request('templateType');
|
||||
$subject = Controller::request('subject');
|
||||
$body = Controller::request('body');
|
||||
$subject = Controller::request('subject', true);
|
||||
$body = Controller::request('body', true);
|
||||
|
||||
$mailTemplate = MailTemplate::findOne(' language = ? AND type = ?', [$language, $templateType]);
|
||||
if($mailTemplate->isNull()) {
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ class CommentController extends Controller {
|
|||
$ticketNumber = Controller::request('ticketNumber');
|
||||
$email = Controller::request('email');
|
||||
$this->ticket = Ticket::getByTicketNumber($ticketNumber);
|
||||
$this->content = Controller::request('content');
|
||||
$this->content = Controller::request('content', true);
|
||||
|
||||
if(!Controller::isUserSystemEnabled() && $this->ticket->authorEmail !== $email && !Controller::isStaffLogged()) {
|
||||
throw new Exception(ERRORS::NO_PERMISSION);
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ class CreateController extends Controller {
|
|||
|
||||
public function handler() {
|
||||
$this->title = Controller::request('title');
|
||||
$this->content = Controller::request('content');
|
||||
$this->content = Controller::request('content', true);
|
||||
$this->departmentId = Controller::request('departmentId');
|
||||
$this->language = Controller::request('language');
|
||||
$this->email = Controller::request('email');
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class EditCustomResponseController extends Controller {
|
|||
$customResponse = CustomResponse::getDataStore(Controller::request('id'));
|
||||
|
||||
if (Controller::request('content')) {
|
||||
$customResponse->content = Controller::request('content');
|
||||
$customResponse->content = Controller::request('content', true);
|
||||
}
|
||||
|
||||
if (Controller::request('language')) {
|
||||
|
|
|
|||
|
|
@ -47,8 +47,16 @@ abstract class Controller {
|
|||
self::$dataRequester = $dataRequester;
|
||||
}
|
||||
|
||||
public static function request($key) {
|
||||
return call_user_func(self::$dataRequester, $key);
|
||||
public static function request($key, $secure = false) {
|
||||
$result = call_user_func(self::$dataRequester, $key);
|
||||
|
||||
if($secure) {
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$purifier = new HTMLPurifier($config);
|
||||
return $purifier->purify($result);
|
||||
} else {
|
||||
return $result;
|
||||
}
|
||||
}
|
||||
|
||||
public static function getLoggedUser() {
|
||||
|
|
|
|||
|
|
@ -52,5 +52,13 @@ describe '/user/edit-password' do
|
|||
csrf_token: $csrf_token
|
||||
})
|
||||
(result['status']).should.equal('success')
|
||||
|
||||
request('/user/logout')
|
||||
|
||||
result = request('/user/login',{
|
||||
email: 'steve@jobs.com',
|
||||
password: 'newpassword'
|
||||
})
|
||||
(result['status']).should.equal('success')
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -41,15 +41,6 @@ describe '/user/signup' do
|
|||
|
||||
(result['status']).should.equal('fail')
|
||||
(result['message']).should.equal('INVALID_NAME')
|
||||
|
||||
result = request('/user/signup', {
|
||||
name: 'tyri0n',
|
||||
email: 'tyrion@outlook.com',
|
||||
password: 'Lannister'
|
||||
})
|
||||
|
||||
(result['status']).should.equal('fail')
|
||||
(result['message']).should.equal('INVALID_NAME')
|
||||
end
|
||||
|
||||
it 'should fail if email is invalid' do
|
||||
|
|
|
|||
Loading…
Reference in New Issue