Move sanitize logic into a dedicated class

c1959643 · Cédric Anne · GitHub · 94710084 · c1959643 · c1959643
Unverified Commit c1959643 authored Jul 23, 2021 by Cédric Anne Committed by GitHub Jul 23, 2021
--- a/inc/contenttemplates/parameters/supplierparameters.class.php
+++ b/inc/contenttemplates/parameters/supplierparameters.class.php
@@ -34,8 +34,8 @@ namespace Glpi\ContentTemplates\Parameters;

 use CommonDBTM;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
+use Glpi\Toolbox\Sanitizer;
 use Supplier;
-use Toolbox;

 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
@@ -79,7 +79,7 @@ class SupplierParameters extends TreeDropdownParameters
   protected function defineValues(CommonDBTM $user): array {

      // Output "unsanitized" values
-      $fields = Toolbox::unclean_cross_side_scripting_deep($user->fields);
+      $fields = Sanitizer::unsanitize($user->fields);

      return [
         'id'        => $fields['id'],

--- a/inc/contenttemplates/parameters/ticketparameters.class.php
+++ b/inc/contenttemplates/parameters/ticketparameters.class.php
@@ -36,6 +36,7 @@ use CommonDBTM;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\ArrayParameter;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\ObjectParameter;
+use Glpi\Toolbox\Sanitizer;
 use Item_Ticket;
 use KnowbaseItem;
 use KnowbaseItem_Item;
@@ -46,7 +47,6 @@ use Session;
 use SLA;
 use Ticket;
 use TicketValidation;
-use Toolbox;

 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
@@ -92,7 +92,7 @@ class TicketParameters extends CommonITILObjectParameters
      /** @var Ticket $ticket  */

      // Output "unsanitized" values
-      $fields = Toolbox::unclean_cross_side_scripting_deep($ticket->fields);
+      $fields = Sanitizer::unsanitize($ticket->fields);

      $values = parent::defineValues($ticket);


--- a/inc/contenttemplates/parameters/treedropdownparameters.class.php
+++ b/inc/contenttemplates/parameters/treedropdownparameters.class.php
@@ -34,7 +34,7 @@ namespace Glpi\ContentTemplates\Parameters;

 use CommonDBTM;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
-use Toolbox;
+use Glpi\Toolbox\Sanitizer;

 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
@@ -56,7 +56,7 @@ abstract class TreeDropdownParameters extends DropdownParameters
   protected function defineValues(CommonDBTM $item): array {

      // Output "unsanitized" values
-      $fields = Toolbox::unclean_cross_side_scripting_deep($item->fields);
+      $fields = Sanitizer::unsanitize($item->fields);

      $values = parent::defineValues($item);
      $values['completename'] = $fields['completename'];

--- a/inc/contenttemplates/parameters/userparameters.class.php
+++ b/inc/contenttemplates/parameters/userparameters.class.php
@@ -34,7 +34,7 @@ namespace Glpi\ContentTemplates\Parameters;

 use CommonDBTM;
 use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
-use Toolbox;
+use Glpi\Toolbox\Sanitizer;
 use User;
 use UserEmail;

@@ -76,7 +76,7 @@ class UserParameters extends AbstractParameters
   protected function defineValues(CommonDBTM $user): array {

      // Output "unsanitized" values
-      $fields = Toolbox::unclean_cross_side_scripting_deep($user->fields);
+      $fields = Sanitizer::unsanitize($user->fields);

      return [
         'id'    => $fields['id'],

--- a/inc/contenttemplates/templatemanager.class.php
+++ b/inc/contenttemplates/templatemanager.class.php
@@ -33,6 +33,7 @@
 namespace Glpi\ContentTemplates;

 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;
 use Twig\Environment;
 use Twig\Extension\SandboxExtension;
 use Twig\Loader\ArrayLoader;
@@ -69,7 +70,7 @@ class TemplateManager
   ): string {
      // Unclean input if needed
      if ($sanitized_content) {
-         $content = \Toolbox::unclean_cross_side_scripting_deep($content);
+         $content = Sanitizer::unsanitize($content);
      }

      // Init twig
@@ -99,7 +100,7 @@ class TemplateManager
    */
   public static function validate(string $content, bool $sanitized_content = false, ?string &$err_msg = null): bool {
      if ($sanitized_content) {
-         $content = \Toolbox::unclean_cross_side_scripting_deep($content);
+         $content = Sanitizer::unsanitize($content);
      }

      $twig = new Environment(new ArrayLoader(['template' => $content]));

--- a/inc/dbutils.class.php
+++ b/inc/dbutils.class.php
@@ -30,6 +30,8 @@
 * ---------------------------------------------------------------------
 */

+use Glpi\Toolbox\Sanitizer;
+
 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }
@@ -1124,7 +1126,7 @@ final class DbUtils {
         // Separator is not encoded in DB, and it could not be changed as this is mandatory to be able to split tree
         // correctly even if some tree elements are containing ">" char in their name (this one will be encoded).
         $separator = ' > ';
-         $name = implode(Toolbox::clean_cross_side_scripting_deep($separator), explode($separator, $name));
+         $name = implode(Sanitizer::sanitize($separator), explode($separator, $name));

         if ($tooltip) {
            $comment  = sprintf(__('%1$s: %2$s')."<br>",

--- a/inc/document.class.php
+++ b/inc/document.class.php
@@ -31,6 +31,7 @@
 */

 use Glpi\Event;
+use Glpi\Toolbox\Sanitizer;

 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
@@ -1351,8 +1352,7 @@ class Document extends CommonDBTM {
      ]);

      while ($data = $iterator->next()) {
-         if (preg_match(Toolbox::unclean_cross_side_scripting_deep($data['ext'])."i",
-                        $ext, $results) > 0) {
+         if (preg_match(Sanitizer::unsanitize($data['ext'])."i", $ext, $results) > 0) {
            return Toolbox::strtoupper($ext);
         }
      }

--- a/inc/dropdown.class.php
+++ b/inc/dropdown.class.php
@@ -30,6 +30,8 @@
 * ---------------------------------------------------------------------
 */

+use Glpi\Toolbox\Sanitizer;
+
 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }
@@ -160,7 +162,7 @@ class Dropdown {
      }

      if (!$item instanceof CommonTreeDropdown) {
-         $name = Toolbox::unclean_cross_side_scripting_deep($name);
+         $name = Sanitizer::unsanitize($name);
      }
      $p = ['value'                => $params['value'],
            'valuename'            => $name,
@@ -3027,7 +3029,7 @@ class Dropdown {
         }
      }

-      $ret['results'] = Toolbox::unclean_cross_side_scripting_deep($datas);
+      $ret['results'] = Sanitizer::unsanitize($datas);
      $ret['count']   = $count;

      return ($json === true) ? json_encode($ret) : $ret;

--- a/inc/features/planningevent.class.php
+++ b/inc/features/planningevent.class.php
@@ -45,6 +45,7 @@ use DateTimeZone;
 use Dropdown;
 use Entity;
 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;
 use Group_User;
 use Html;
 use Planning;
@@ -543,7 +544,7 @@ trait PlanningEvent {
                  'users_id'         => $data["users_id"],
                  'state'            => $data["state"],
                  'background'       => $has_bg ? $data['background'] : false,
-                  'name'             => Toolbox::unclean_cross_side_scripting_deep($data['name']), // name is re-encoded on JS side
+                  'name'             => Sanitizer::unsanitize($data['name']), // name is re-encoded on JS side
                  'text'             => $data['text'] !== null
                     ? RichText::getSafeHtml($data['text'], true)
                     : '',

--- a/inc/features/usermention.class.php
+++ b/inc/features/usermention.class.php
@@ -36,11 +36,11 @@ use CommonITILActor;
 use CommonITILObject;
 use CommonITILTask;
 use CommonITILValidation;
+use Glpi\Toolbox\Sanitizer;
 use ITILFollowup;
 use ITILSolution;
 use NotificationEvent;
 use SimpleXMLElement;
-use Toolbox;
 use User;

 trait UserMention {
@@ -179,9 +179,7 @@ trait UserMention {

      try {
         if ($sanitized) {
-            $content = Toolbox::stripslashes_deep(
-               Toolbox::unclean_cross_side_scripting_deep($content)
-            );
+            $content = Sanitizer::unsanitize($content, true);
         }
         libxml_use_internal_errors(true);
         $content_as_xml = new SimpleXMLElement('<div>' . $content . '</div>');

--- a/inc/glpikey.class.php
+++ b/inc/glpikey.class.php
@@ -34,6 +34,8 @@ if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }

+use Glpi\Toolbox\Sanitizer;
+
 /**
 *  GLPI security key
 **/
@@ -329,6 +331,6 @@ class GLPIKey {
         $result .= $char;
      }

-      return Toolbox::unclean_cross_side_scripting_deep($result);
+      return Sanitizer::unsanitize($result);
   }
 }
--- a/inc/html.class.php
+++ b/inc/html.class.php
@@ -30,6 +30,7 @@
 * ---------------------------------------------------------------------
 */

+use Glpi\Toolbox\Sanitizer;
 use ScssPhp\ScssPhp\Compiler;

 if (!defined('GLPI_ROOT')) {
@@ -4255,7 +4256,7 @@ JAVASCRIPT
         echo "<tr><th>KEY</th><th>=></th><th>VALUE</th></tr>";

         foreach ($tab as $key => $val) {
-            $key = Toolbox::clean_cross_side_scripting_deep($key);
+            $key = Sanitizer::sanitize($key);
            echo "<tr class='tab_bg_1'><td class='top right'>";
            echo $key;
            $is_array = is_array($val);

--- a/inc/includes.php
+++ b/inc/includes.php
@@ -30,6 +30,8 @@
 * ---------------------------------------------------------------------
 */

+use Glpi\Toolbox\Sanitizer;
+
 if (!defined('GLPI_ROOT')) {
   define('GLPI_ROOT', dirname(__DIR__));
 }
@@ -70,21 +72,20 @@ if (isset($_POST)) {
   if (isset($_POST['_glpi_simple_form'])) {
      $_POST = array_map('urldecode', $_POST);
   }
-   $_POST = Toolbox::sanitize($_POST);
+   $_POST = Sanitizer::sanitize($_POST, true);
 }
 if (isset($_GET)) {
   $_UGET = $_GET; //keep raw, as a workaround
-   $_GET  = Toolbox::sanitize($_GET);
+   $_GET  = Sanitizer::sanitize($_GET, true);
 }
 if (isset($_REQUEST)) {
   $_UREQUEST = $_REQUEST; //keep raw, as a workaround
-   $_REQUEST  = Toolbox::sanitize($_REQUEST);
+   $_REQUEST  = Sanitizer::sanitize($_REQUEST, true);
 }
 if (isset($_FILES)) {
   $_UFILES = $_FILES; //keep raw, as a workaround
   foreach ($_FILES as &$file) {
-      $file['name'] = Toolbox::addslashes_deep($file['name']);
-      $file['name'] = Toolbox::clean_cross_side_scripting_deep($file['name']);
+      $file['name'] = Sanitizer::sanitize($file['name'], true);
   }
 }
 unset($file);

--- a/inc/knowbaseitem.class.php
+++ b/inc/knowbaseitem.class.php
@@ -32,6 +32,7 @@

 use Glpi\Event;
 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;

 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
@@ -1290,7 +1291,7 @@ class KnowbaseItem extends CommonDBVisible implements ExtraVisibilityCriteria {

         case 'search' :
            if (strlen($params["contains"]) > 0) {
-               $search  = Toolbox::unclean_cross_side_scripting_deep($params["contains"]);
+               $search  = Sanitizer::unsanitize($params["contains"]);
               $search_wilcard = explode(' ', $search);
               $search_wilcard = implode('* ', $search_wilcard).'*';


--- a/inc/mailcollector.class.php
+++ b/inc/mailcollector.class.php
@@ -34,6 +34,7 @@ if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }

+use Glpi\Toolbox\Sanitizer;
 use Laminas\Mail\Address;
 use Laminas\Mail\Header\AbstractAddressList;
 use Laminas\Mail\Header\ContentDisposition;
@@ -1225,7 +1226,7 @@ class MailCollector  extends CommonDBTM {
         }
      }

-      $tkt = Toolbox::clean_cross_side_scripting_deep(Toolbox::addslashes_deep($tkt));
+      $tkt = Sanitizer::sanitize($tkt, true);
      return $tkt;
   }

@@ -1285,7 +1286,7 @@ class MailCollector  extends CommonDBTM {
   **/
   function cleanSubject($text) {
      $text = str_replace("=20", "\n", $text);
-      $text =  Toolbox::clean_cross_side_scripting_deep($text);
+      $text =  Sanitizer::sanitize($text);
      return $text;
   }


--- a/inc/notificationajax.class.php
+++ b/inc/notificationajax.class.php
@@ -30,6 +30,8 @@
 * ---------------------------------------------------------------------
 */

+use Glpi\Toolbox\Sanitizer;
+
 if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }
@@ -86,7 +88,7 @@ class NotificationAjax implements NotificationInterface {

      $queue = new QueuedNotification();

-      if (!$queue->add(Toolbox::sanitize($data))) {
+      if (!$queue->add(Sanitizer::sanitize($data, true))) {
         Session::addMessageAfterRedirect(__('Error inserting browser notification to queue'), true, ERROR);
         return false;
      } else {

--- a/inc/notificationmailing.class.php
+++ b/inc/notificationmailing.class.php
 <?php
+
 /**
 * ---------------------------------------------------------------------
 * GLPI - Gestionnaire Libre de Parc Informatique
@@ -34,6 +35,8 @@ if (!defined('GLPI_ROOT')) {
   die("Sorry. You can't access this file directly");
 }

+use Glpi\Toolbox\Sanitizer;
+
 /**
 *  NotificationMailing class implements the NotificationInterface
 **/
@@ -156,7 +159,7 @@ class NotificationMailing implements NotificationInterface {

      $queue = new QueuedNotification();

-      if (!$queue->add(Toolbox::sanitize($data))) {
+      if (!$queue->add(Sanitizer::sanitize($data, true))) {
         Session::addMessageAfterRedirect(__('Error inserting email to queue'), true, ERROR);
         return false;
      } else {

--- a/inc/notificationtemplate.class.php
+++ b/inc/notificationtemplate.class.php
@@ -35,6 +35,7 @@ if (!defined('GLPI_ROOT')) {
 }

 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;

 /**
 * NotificationTemplate Class
@@ -260,8 +261,8 @@ class NotificationTemplate extends CommonDBTM {
         if ($template_datas = $this->getByLanguage($language)) {
            //Template processing

-            $template_datas  = Toolbox::unclean_cross_side_scripting_deep($template_datas);
-            $data            = Toolbox::unclean_cross_side_scripting_deep($data);
+            $template_datas  = Sanitizer::unsanitize($template_datas);
+            $data            = Sanitizer::unsanitize($data);

            $lang['subject']      = $target->getSubjectPrefix($event)
               . self::process($template_datas['subject'], self::getDataForPlainText($data));

--- a/inc/notificationtemplatetranslation.class.php
+++ b/inc/notificationtemplatetranslation.class.php
@@ -35,6 +35,7 @@ if (!defined('GLPI_ROOT')) {
 }

 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;

 /**
 * NotificationTemplateTranslation Class
@@ -246,17 +247,13 @@ class NotificationTemplateTranslation extends CommonDBChild {
   static function cleanContentHtml(array $input) {

      // Unsanitize
-      //
-      // Using `Toolbox::stripslashes_deep()` on sanitized content will produce "r" and "n" instead of "\r" and \n",
-      // so newlines have to be removed before calling it.
-      $txt = str_replace(['\r', '\n'], ' ', $input['content_html']);
-      $txt = Toolbox::stripslashes_deep(Toolbox::unclean_cross_side_scripting_deep($txt));
+      $txt = Sanitizer::unsanitize($input['content_html'], true);

      // Get as text plain text
      $txt = RichText::getTextFromHtml($txt, true);

      // Sanitize result
-      $txt = Toolbox::clean_cross_side_scripting_deep(Toolbox::addslashes_deep($txt));
+      $txt = Sanitizer::sanitize($txt, true);

      if (!$txt) {
         // No HTML (nothing to display)

--- a/inc/projecttask.class.php
+++ b/inc/projecttask.class.php
@@ -37,6 +37,7 @@ if (!defined('GLPI_ROOT')) {
 use Glpi\CalDAV\Contracts\CalDAVCompatibleItemInterface;
 use Glpi\CalDAV\Traits\VobjectConverterTrait;
 use Glpi\Toolbox\RichText;
+use Glpi\Toolbox\Sanitizer;
 use Sabre\VObject\Component\VCalendar;
 use Sabre\VObject\Property\FlatText;
 use Sabre\VObject\Property\IntegerValue;
@@ -1790,7 +1791,7 @@ class ProjectTask extends CommonDBChild implements CalDAVCompatibleItemInterface
                  $interv[$key]["end"]   = $data["plan_end_date"];
               }

-               $interv[$key]["name"]     = Toolbox::unclean_cross_side_scripting_deep($task->fields["name"]); // name is re-encoded on JS side
+               $interv[$key]["name"]     = Sanitizer::unsanitize($task->fields["name"]); // name is re-encoded on JS side
               $interv[$key]["content"]  = $task->fields["content"] !== null
                  ? RichText::getSafeHtml($task->fields["content"], true)
                  : '';