From 5f0a61442e47bc50d471e8e7fb5c54e65ace21aa Mon Sep 17 00:00:00 2001 From: David Baqueiro Santerbas Date: Wed, 30 Sep 2020 22:10:49 +0200 Subject: [PATCH] Sanitize input! --- system/library/Util.php | 23 +++++++++++++++++++++-- system/startup.php | 16 ++++++++-------- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/system/library/Util.php b/system/library/Util.php index 32eb541..4e70478 100644 --- a/system/library/Util.php +++ b/system/library/Util.php @@ -89,9 +89,9 @@ public static function escape($value) * * @return string */ - public static function sanitizeText($text) + public static function preventXSS($value) { - return trim(htmlentities(preg_replace("/([^a-z0-9!@#$%^&*()_\-+\]\[{}\s\n<>:\\/\.,\?;'\"]+)/i", '', $text), ENT_QUOTES, 'UTF-8')); + return htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); } /** @@ -143,4 +143,23 @@ public static function checkPostCSRFToken() } } } + + /** + * This function acts exactly like array_walk_recursive, except that it pretends that the function + * its calling replaces the value with its result. + * + * @param $array The first value of the array will be passed into $function as the primary argument + * @param $function The function to be called on each element in the array, recursively + * @param $parameters An optional array of the additional parameters to be appended to the function + * + * Example usage to alter $array to get the second, third and fourth character from each value + * array_walk_recursive_referential($array, "substr", array("1","3")); + */ + public static function array_walk_recursive_referential(&$array, $function, $parameters = array()) { + $reference_function = function(&$value, $key, $userdata) { + $parameters = array_merge(array($value), $userdata[1]); + $value = call_user_func_array($userdata[0], $parameters); + }; + array_walk_recursive($array, $reference_function, array($function, $parameters)); + } } diff --git a/system/startup.php b/system/startup.php index 46fdbfc..1fd681e 100644 --- a/system/startup.php +++ b/system/startup.php @@ -50,14 +50,14 @@ Util::checkPostCSRFToken(); } -// Input security (POST and GET) -array_walk_recursive($_GET, 'trim'); -array_walk_recursive($_GET, 'strip_tags'); -array_walk_recursive($_GET, array("Library\Util", "escape")); - -array_walk_recursive($_POST, 'trim'); -array_walk_recursive($_POST, 'strip_tags'); -array_walk_recursive($_POST, array("Library\Util", "escape")); +// XSS, scape characters, SQL Injection +Util::array_walk_recursive_referential($_GET, array("Library\Util", "preventXSS")); +Util::array_walk_recursive_referential($_GET, "trim"); +Util::array_walk_recursive_referential($_GET, array("Library\Util", "escape")); + +Util::array_walk_recursive_referential($_POST, array("Library\Util", "preventXSS")); +Util::array_walk_recursive_referential($_POST, "trim"); +Util::array_walk_recursive_referential($_POST, array("Library\Util", "escape")); // Output files Config::set("output_styles", array());