Sanitize input!

bakeiro · Sep 30, 2020 · 5f0a614 · 5f0a614
1 parent e06724e
commit 5f0a614
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 10 deletions.
diff --git a/system/library/Util.php b/system/library/Util.php
@@ -89,9 +89,9 @@ public static function escape($value)
      *
      * @return string
      */
-    public static function sanitizeText($text)
+    public static function preventXSS($value)
     {
-        return trim(htmlentities(preg_replace("/([^a-z0-9!@#$%^&*()_\-+\]\[{}\s\n<>:\\/\.,\?;'\"]+)/i", '', $text), ENT_QUOTES, 'UTF-8'));
+        return htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
     }
 
     /**
@@ -143,4 +143,23 @@ public static function checkPostCSRFToken()
             }
         }
     }
+
+    /**
+     * This function acts exactly like array_walk_recursive, except that it pretends that the function
+     * its calling replaces the value with its result.
+     *
+     * @param $array The first value of the array will be passed into $function as the primary argument
+     * @param $function The function to be called on each element in the array, recursively
+     * @param $parameters An optional array of the additional parameters to be appended to the function
+     *
+     * Example usage to alter $array to get the second, third and fourth character from each value
+     *     array_walk_recursive_referential($array, "substr", array("1","3"));
+     */
+    public static function array_walk_recursive_referential(&$array, $function, $parameters = array()) {
+        $reference_function = function(&$value, $key, $userdata) {
+            $parameters = array_merge(array($value), $userdata[1]);
+            $value = call_user_func_array($userdata[0], $parameters);
+        };
+        array_walk_recursive($array, $reference_function, array($function, $parameters));
+    }
 }
diff --git a/system/startup.php b/system/startup.php
@@ -50,14 +50,14 @@
     Util::checkPostCSRFToken();
 }
 
-// Input security (POST and GET)
-array_walk_recursive($_GET, 'trim');
-array_walk_recursive($_GET, 'strip_tags');
-array_walk_recursive($_GET, array("Library\Util", "escape"));
-
-array_walk_recursive($_POST, 'trim');
-array_walk_recursive($_POST, 'strip_tags');
-array_walk_recursive($_POST, array("Library\Util", "escape"));
+// XSS, scape characters, SQL Injection
+Util::array_walk_recursive_referential($_GET, array("Library\Util", "preventXSS"));
+Util::array_walk_recursive_referential($_GET, "trim");
+Util::array_walk_recursive_referential($_GET, array("Library\Util", "escape"));
+
+Util::array_walk_recursive_referential($_POST, array("Library\Util", "preventXSS"));
+Util::array_walk_recursive_referential($_POST, "trim");
+Util::array_walk_recursive_referential($_POST, array("Library\Util", "escape"));
 
 // Output files
 Config::set("output_styles", array());