Sanitize user input on all API routes (references #996)

2025-08-14 17:54:40 +00:00 · 2020-10-14 22:49:29 +02:00
parent 7b8438bfa2
commit c11001467b
12 changed files with 98 additions and 28 deletions
--- a/controllers/BaseApiController.php
+++ b/controllers/BaseApiController.php
@@ -115,4 +115,22 @@ class BaseApiController extends BaseController

 		return $this->OpenApiSpec;
 	}
+
+	private static $htmlPurifierInstance = null;
+
+	protected function GetParsedAndFilteredRequestBody($request)
+	{
+		if (self::$htmlPurifierInstance == null)
+		{
+			self::$htmlPurifierInstance = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
+		}
+
+		$requestBody = $request->getParsedBody();
+		foreach ($requestBody as $key => &$value)
+		{
+			$value = self::$htmlPurifierInstance->purify($value);
+		}
+
+		return $requestBody;
+	}
 }