kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-04-29 09:39:57 +00:00
Code Issues Projects Releases Wiki Activity

Move GetParsedAndFilteredRequestBody into BaseApiController

Browse Source
This commit is contained in:
Bernd Bestel 2023-09-01 17:58:02 +02:00
parent f6bdb6e836
commit 387a5f7dd3
No known key found for this signature in database
GPG Key ID: 71BD34C0D4891300
2 changed files with 44 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
controllers/BaseApiController.php
View File

@ -4,6 +4,7 @@ namespace Grocy\Controllers;
use LessQL\Result; use LessQL\Result;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ResponseInterface as Response;
use Slim\Exception\HttpException;
class BaseApiController extends BaseController class BaseApiController extends BaseController
{ {
@ -149,4 +150,47 @@ class BaseApiController extends BaseController
return $this->OpenApiSpec; return $this->OpenApiSpec;
} }
private static $htmlPurifierInstance = null;
protected function GetParsedAndFilteredRequestBody($request)
{
if ($request->getHeaderLine('Content-Type') != 'application/json')
{
throw new HttpException($request, 'Bad Content-Type', 400);
}
if (self::$htmlPurifierInstance == null)
{
$htmlPurifierConfig = \HTMLPurifier_Config::createDefault();
$htmlPurifierConfig->set('Cache.SerializerPath', GROCY_DATAPATH . '/viewcache');
$htmlPurifierConfig->set('HTML.Allowed', 'div,b,strong,i,em,u,a[href|title|target],iframe[src|width|height|frameborder],ul,ol,li,p[style],br,span[style],img[style|width|height|alt|src],table[border|width|style],tbody,tr,td,th,blockquote,*[style|class|id],h1,h2,h3,h4,h5,h6');
$htmlPurifierConfig->set('Attr.EnableID', true);
$htmlPurifierConfig->set('HTML.SafeIframe', true);
$htmlPurifierConfig->set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,width,height');
$htmlPurifierConfig->set('URI.AllowedSchemes', ['data' => true, 'http' => true, 'https' => true]);
$htmlPurifierConfig->set('URI.SafeIframeRegexp', '%^.*%'); // Allow any iframe source
$htmlPurifierConfig->set('CSS.MaxImgLength', null);
self::$htmlPurifierInstance = new \HTMLPurifier($htmlPurifierConfig);
}
$requestBody = $request->getParsedBody();
foreach ($requestBody as $key => &$value)
{
// HTMLPurifier removes boolean values (true/false) and arrays, so explicitly keep them
// Maybe also possible through HTMLPurifier config (http://htmlpurifier.org/live/configdoc/plain.html)
if (!is_bool($value) && !is_array($value))
{
$value = self::$htmlPurifierInstance->purify($value);
// Allow some special chars
// Maybe also possible through HTMLPurifier config (http://htmlpurifier.org/live/configdoc/plain.html)
$value = str_replace('&', '&', $value);
$value = str_replace('>', '>', $value);
$value = str_replace('&lt;', '<', $value);
}
}
return $requestBody;
}
} }

45
controllers/BaseController.php
View File

@ -19,7 +19,6 @@ use Grocy\Services\TasksService;
use Grocy\Services\UserfieldsService; use Grocy\Services\UserfieldsService;
use Grocy\Services\UsersService; use Grocy\Services\UsersService;
use DI\Container; use DI\Container;
use Slim\Exception\HttpException;
class BaseController class BaseController
{ {
@ -209,48 +208,4 @@ class BaseController
return $this->render($response, $viewName, $data); return $this->render($response, $viewName, $data);
} }
private static $htmlPurifierInstance = null;
protected function GetParsedAndFilteredRequestBody($request)
{
if ($request->getHeaderLine('Content-Type') != 'application/json')
{
throw new HttpException($request, 'Bad Content-Type', 400);
}
if (self::$htmlPurifierInstance == null)
{
$htmlPurifierConfig = \HTMLPurifier_Config::createDefault();
$htmlPurifierConfig->set('Cache.SerializerPath', GROCY_DATAPATH . '/viewcache');
$htmlPurifierConfig->set('HTML.Allowed', 'div,b,strong,i,em,u,a[href|title|target],iframe[src|width|height|frameborder],ul,ol,li,p[style],br,span[style],img[style|width|height|alt|src],table[border|width|style],tbody,tr,td,th,blockquote,*[style|class|id],h1,h2,h3,h4,h5,h6');
$htmlPurifierConfig->set('Attr.EnableID', true);
$htmlPurifierConfig->set('HTML.SafeIframe', true);
$htmlPurifierConfig->set('CSS.AllowedProperties', 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,width,height');
$htmlPurifierConfig->set('URI.AllowedSchemes', ['data' => true, 'http' => true, 'https' => true]);
$htmlPurifierConfig->set('URI.SafeIframeRegexp', '%^.*%'); // Allow any iframe source
$htmlPurifierConfig->set('CSS.MaxImgLength', null);
self::$htmlPurifierInstance = new \HTMLPurifier($htmlPurifierConfig);
}
$requestBody = $request->getParsedBody();
foreach ($requestBody as $key => &$value)
{
// HTMLPurifier removes boolean values (true/false) and arrays, so explicitly keep them
// Maybe also possible through HTMLPurifier config (http://htmlpurifier.org/live/configdoc/plain.html)
if (!is_bool($value) && !is_array($value))
{
$value = self::$htmlPurifierInstance->purify($value);
// Allow some special chars
// Maybe also possible through HTMLPurifier config (http://htmlpurifier.org/live/configdoc/plain.html)
$value = str_replace('&amp;', '&', $value);
$value = str_replace('&gt;', '>', $value);
$value = str_replace('&lt;', '<', $value);
}
}
return $requestBody;
}
} }