diff --git a/composer.json b/composer.json index 53bd8e34..e907617a 100644 --- a/composer.json +++ b/composer.json @@ -10,7 +10,8 @@ "gettext/gettext": "^4.8", "eluceo/ical": "^0.16.0", "erusev/parsedown": "^1.7", - "gumlet/php-image-resize": "^1.9" + "gumlet/php-image-resize": "^1.9", + "ezyang/htmlpurifier": "^4.13" }, "autoload": { "psr-4": { diff --git a/composer.lock b/composer.lock index 51e6bda0..3d7c1f61 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "70c5b65f78f4eb43dac8df8dc144e56c", + "content-hash": "651fcabf083befffe196b08c8f17506b", "packages": [ { "name": "doctrine/inflector", @@ -195,6 +195,56 @@ ], "time": "2019-12-30T22:54:17+00:00" }, + { + "name": "ezyang/htmlpurifier", + "version": "v4.13.0", + "source": { + "type": "git", + "url": "https://github.com/ezyang/htmlpurifier.git", + "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/08e27c97e4c6ed02f37c5b2b20488046c8d90d75", + "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75", + "shasum": "" + }, + "require": { + "php": ">=5.2" + }, + "require-dev": { + "simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd" + }, + "type": "library", + "autoload": { + "psr-0": { + "HTMLPurifier": "library/" + }, + "files": [ + "library/HTMLPurifier.composer.php" + ], + "exclude-from-classmap": [ + "/library/HTMLPurifier/Language/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-2.1-or-later" + ], + "authors": [ + { + "name": "Edward Z. Yang", + "email": "admin@htmlpurifier.org", + "homepage": "http://ezyang.com" + } + ], + "description": "Standards compliant HTML filter written in PHP", + "homepage": "http://htmlpurifier.org/", + "keywords": [ + "html" + ], + "time": "2020-06-29T00:56:53+00:00" + }, { "name": "fig/http-message-util", "version": "1.1.4", diff --git a/controllers/BaseApiController.php b/controllers/BaseApiController.php index 74fc49bb..ed3557b0 100644 --- a/controllers/BaseApiController.php +++ b/controllers/BaseApiController.php @@ -115,4 +115,22 @@ class BaseApiController extends BaseController return $this->OpenApiSpec; } + + private static $htmlPurifierInstance = null; + + protected function GetParsedAndFilteredRequestBody($request) + { + if (self::$htmlPurifierInstance == null) + { + self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault()); + } + + $requestBody = $request->getParsedBody(); + foreach ($requestBody as $key => &$value) + { + $value = self::$htmlPurifierInstance->purify($value); + } + + return $requestBody; + } } diff --git a/controllers/BatteriesApiController.php b/controllers/BatteriesApiController.php index 9f06a3ed..163b45b3 100644 --- a/controllers/BatteriesApiController.php +++ b/controllers/BatteriesApiController.php @@ -27,7 +27,7 @@ class BatteriesApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_BATTERIES_TRACK_CHARGE_CYCLE); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { diff --git a/controllers/ChoresApiController.php b/controllers/ChoresApiController.php index 8220ad16..c70d4d0b 100644 --- a/controllers/ChoresApiController.php +++ b/controllers/ChoresApiController.php @@ -10,7 +10,7 @@ class ChoresApiController extends BaseApiController { try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $choreId = null; @@ -60,7 +60,7 @@ class ChoresApiController extends BaseApiController public function TrackChoreExecution(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { diff --git a/controllers/GenericEntityApiController.php b/controllers/GenericEntityApiController.php index 320e537d..4f416b88 100644 --- a/controllers/GenericEntityApiController.php +++ b/controllers/GenericEntityApiController.php @@ -18,7 +18,7 @@ class GenericEntityApiController extends BaseApiController User::checkPermission($request, User::PERMISSION_ADMIN); } - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -78,7 +78,8 @@ class GenericEntityApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_ADMIN); } - $requestBody = $request->getParsedBody(); + + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -202,7 +203,7 @@ class GenericEntityApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { diff --git a/controllers/LoginController.php b/controllers/LoginController.php index c80a541e..5e61535e 100644 --- a/controllers/LoginController.php +++ b/controllers/LoginController.php @@ -24,7 +24,7 @@ class LoginController extends BaseController public function ProcessLogin(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { - $postParams = $request->getParsedBody(); + $postParams = $this->GetParsedAndFilteredRequestBody($request); if (isset($postParams['username']) && isset($postParams['password'])) { diff --git a/controllers/RecipesApiController.php b/controllers/RecipesApiController.php index 5e19350b..502bb1b3 100644 --- a/controllers/RecipesApiController.php +++ b/controllers/RecipesApiController.php @@ -10,7 +10,7 @@ class RecipesApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_SHOPPINGLIST_ITEMS_ADD); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $excludedProductIds = null; if ($requestBody !== null && array_key_exists('excludedProductIds', $requestBody)) diff --git a/controllers/StockApiController.php b/controllers/StockApiController.php index 24d6a84d..4e4774a4 100644 --- a/controllers/StockApiController.php +++ b/controllers/StockApiController.php @@ -13,7 +13,7 @@ class StockApiController extends BaseApiController try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $listId = 1; @@ -37,7 +37,7 @@ class StockApiController extends BaseApiController try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $listId = 1; @@ -59,7 +59,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_PURCHASE); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -143,7 +143,7 @@ class StockApiController extends BaseApiController try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $listId = 1; $amount = 1; @@ -190,7 +190,7 @@ class StockApiController extends BaseApiController try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $listId = 1; @@ -212,7 +212,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_CONSUME); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $result = null; @@ -323,7 +323,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_EDIT); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -399,7 +399,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_INVENTORY); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -467,7 +467,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_OPEN); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -582,7 +582,7 @@ class StockApiController extends BaseApiController try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $listId = 1; $amount = 1; @@ -664,7 +664,7 @@ class StockApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_STOCK_TRANSFER); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { diff --git a/controllers/SystemApiController.php b/controllers/SystemApiController.php index 380e37d3..debadc9f 100644 --- a/controllers/SystemApiController.php +++ b/controllers/SystemApiController.php @@ -49,7 +49,7 @@ class SystemApiController extends BaseApiController { try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $this->getLocalizationService()->CheckAndAddMissingTranslationToPot($requestBody['text']); return $this->EmptyApiResponse($response); diff --git a/controllers/TasksApiController.php b/controllers/TasksApiController.php index 7518c4a8..eba0f4ee 100644 --- a/controllers/TasksApiController.php +++ b/controllers/TasksApiController.php @@ -15,7 +15,7 @@ class TasksApiController extends BaseApiController { User::checkPermission($request, User::PERMISSION_TASKS_MARK_COMPLETED); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { diff --git a/controllers/UsersApiController.php b/controllers/UsersApiController.php index 94446e76..2e88c27d 100644 --- a/controllers/UsersApiController.php +++ b/controllers/UsersApiController.php @@ -11,7 +11,7 @@ class UsersApiController extends BaseApiController try { User::checkPermission($request, User::PERMISSION_ADMIN); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $this->getDatabase()->user_permissions()->createRow([ 'user_id' => $args['userId'], @@ -32,7 +32,7 @@ class UsersApiController extends BaseApiController public function CreateUser(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Message\ResponseInterface $response, array $args) { User::checkPermission($request, User::PERMISSION_USERS_CREATE); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -75,7 +75,7 @@ class UsersApiController extends BaseApiController User::checkPermission($request, User::PERMISSION_USERS_EDIT); } - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); try { @@ -152,7 +152,7 @@ class UsersApiController extends BaseApiController try { User::checkPermission($request, User::PERMISSION_ADMIN); - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $db = $this->getDatabase(); $db->user_permissions() ->where('user_id', $args['userId']) @@ -186,7 +186,7 @@ class UsersApiController extends BaseApiController { try { - $requestBody = $request->getParsedBody(); + $requestBody = $this->GetParsedAndFilteredRequestBody($request); $value = $this->getUsersService()->SetUserSetting(GROCY_USER_ID, $args['settingKey'], $requestBody['value']); return $this->EmptyApiResponse($response);