diff --git a/server/composer.json b/server/composer.json index a506cdee..4802e3c2 100644 --- a/server/composer.json +++ b/server/composer.json @@ -5,7 +5,8 @@ "phpmailer/phpmailer": "^5.2", "google/recaptcha": "~1.1", "gabordemooij/redbean": "^4.3", - "ifsnop/mysqldump-php": "2.*" + "ifsnop/mysqldump-php": "2.*", + "ezyang/htmlpurifier": "^4.8" }, "require-dev": { "phpunit/phpunit": "5.0.*" diff --git a/server/controllers/article/add.php b/server/controllers/article/add.php index 28abcab7..71fc92c5 100644 --- a/server/controllers/article/add.php +++ b/server/controllers/article/add.php @@ -30,7 +30,7 @@ class AddArticleController extends Controller { $article = new Article(); $article->setProperties([ 'title' => Controller::request('title'), - 'content' => Controller::request('content'), + 'content' => Controller::request('content', true), 'lastEdited' => Date::getCurrentDate(), 'position' => Controller::request('position') || 1 ]); diff --git a/server/controllers/article/edit.php b/server/controllers/article/edit.php index 60220680..37bfe492 100644 --- a/server/controllers/article/edit.php +++ b/server/controllers/article/edit.php @@ -33,7 +33,7 @@ class EditArticleController extends Controller { } if(Controller::request('content')) { - $article->content = Controller::request('content'); + $article->content = Controller::request('content', true); } if(Controller::request('title')) { diff --git a/server/controllers/system/edit-mail-template.php b/server/controllers/system/edit-mail-template.php index 06ddd5e6..66407e44 100644 --- a/server/controllers/system/edit-mail-template.php +++ b/server/controllers/system/edit-mail-template.php @@ -32,8 +32,8 @@ class EditMailTemplateController extends Controller { public function handler() { $language = Controller::request('language'); $templateType = Controller::request('templateType'); - $subject = Controller::request('subject'); - $body = Controller::request('body'); + $subject = Controller::request('subject', true); + $body = Controller::request('body', true); $mailTemplate = MailTemplate::findOne(' language = ? AND type = ?', [$language, $templateType]); if($mailTemplate->isNull()) { diff --git a/server/controllers/ticket/comment.php b/server/controllers/ticket/comment.php index c1593472..efb8fff6 100644 --- a/server/controllers/ticket/comment.php +++ b/server/controllers/ticket/comment.php @@ -60,7 +60,7 @@ class CommentController extends Controller { $ticketNumber = Controller::request('ticketNumber'); $email = Controller::request('email'); $this->ticket = Ticket::getByTicketNumber($ticketNumber); - $this->content = Controller::request('content'); + $this->content = Controller::request('content', true); if(!Controller::isUserSystemEnabled() && $this->ticket->authorEmail !== $email && !Controller::isStaffLogged()) { throw new Exception(ERRORS::NO_PERMISSION); diff --git a/server/controllers/ticket/create.php b/server/controllers/ticket/create.php index 23559205..2a8c4586 100644 --- a/server/controllers/ticket/create.php +++ b/server/controllers/ticket/create.php @@ -50,7 +50,7 @@ class CreateController extends Controller { public function handler() { $this->title = Controller::request('title'); - $this->content = Controller::request('content'); + $this->content = Controller::request('content', true); $this->departmentId = Controller::request('departmentId'); $this->language = Controller::request('language'); $this->email = Controller::request('email'); diff --git a/server/controllers/ticket/edit-custom-response.php b/server/controllers/ticket/edit-custom-response.php index c4b5975c..7f7824cb 100644 --- a/server/controllers/ticket/edit-custom-response.php +++ b/server/controllers/ticket/edit-custom-response.php @@ -22,7 +22,7 @@ class EditCustomResponseController extends Controller { $customResponse = CustomResponse::getDataStore(Controller::request('id')); if (Controller::request('content')) { - $customResponse->content = Controller::request('content'); + $customResponse->content = Controller::request('content', true); } if (Controller::request('language')) { diff --git a/server/libs/Controller.php b/server/libs/Controller.php index 0f7119ee..9b8f418b 100644 --- a/server/libs/Controller.php +++ b/server/libs/Controller.php @@ -47,8 +47,16 @@ abstract class Controller { self::$dataRequester = $dataRequester; } - public static function request($key) { - return call_user_func(self::$dataRequester, $key); + public static function request($key, $secure = false) { + $result = call_user_func(self::$dataRequester, $key); + + if($secure) { + $config = HTMLPurifier_Config::createDefault(); + $purifier = new HTMLPurifier($config); + return $purifier->purify($result); + } else { + return $result; + } } public static function getLoggedUser() { diff --git a/tests/user/edit-password.rb b/tests/user/edit-password.rb index d9767e1b..155d9c2e 100644 --- a/tests/user/edit-password.rb +++ b/tests/user/edit-password.rb @@ -52,5 +52,13 @@ describe '/user/edit-password' do csrf_token: $csrf_token }) (result['status']).should.equal('success') + + request('/user/logout') + + result = request('/user/login',{ + email: 'steve@jobs.com', + password: 'newpassword' + }) + (result['status']).should.equal('success') end end diff --git a/tests/user/signup.rb b/tests/user/signup.rb index d4b59277..9520d8f0 100644 --- a/tests/user/signup.rb +++ b/tests/user/signup.rb @@ -41,15 +41,6 @@ describe '/user/signup' do (result['status']).should.equal('fail') (result['message']).should.equal('INVALID_NAME') - - result = request('/user/signup', { - name: 'tyri0n', - email: 'tyrion@outlook.com', - password: 'Lannister' - }) - - (result['status']).should.equal('fail') - (result['message']).should.equal('INVALID_NAME') end it 'should fail if email is invalid' do