Unverified Commit c1959643 authored by Cédric Anne's avatar Cédric Anne Committed by GitHub
Browse files

Move sanitize logic into a dedicated class

parent 94710084
......@@ -34,8 +34,8 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\Toolbox\Sanitizer;
use Supplier;
use Toolbox;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -79,7 +79,7 @@ class SupplierParameters extends TreeDropdownParameters
protected function defineValues(CommonDBTM $user): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($user->fields);
$fields = Sanitizer::unsanitize($user->fields);
return [
'id' => $fields['id'],
......
......@@ -36,6 +36,7 @@ use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\ArrayParameter;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Glpi\ContentTemplates\Parameters\ParametersTypes\ObjectParameter;
use Glpi\Toolbox\Sanitizer;
use Item_Ticket;
use KnowbaseItem;
use KnowbaseItem_Item;
......@@ -46,7 +47,6 @@ use Session;
use SLA;
use Ticket;
use TicketValidation;
use Toolbox;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -92,7 +92,7 @@ class TicketParameters extends CommonITILObjectParameters
/** @var Ticket $ticket */
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($ticket->fields);
$fields = Sanitizer::unsanitize($ticket->fields);
$values = parent::defineValues($ticket);
......
......@@ -34,7 +34,7 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Toolbox;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -56,7 +56,7 @@ abstract class TreeDropdownParameters extends DropdownParameters
protected function defineValues(CommonDBTM $item): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($item->fields);
$fields = Sanitizer::unsanitize($item->fields);
$values = parent::defineValues($item);
$values['completename'] = $fields['completename'];
......
......@@ -34,7 +34,7 @@ namespace Glpi\ContentTemplates\Parameters;
use CommonDBTM;
use Glpi\ContentTemplates\Parameters\ParametersTypes\AttributeParameter;
use Toolbox;
use Glpi\Toolbox\Sanitizer;
use User;
use UserEmail;
......@@ -76,7 +76,7 @@ class UserParameters extends AbstractParameters
protected function defineValues(CommonDBTM $user): array {
// Output "unsanitized" values
$fields = Toolbox::unclean_cross_side_scripting_deep($user->fields);
$fields = Sanitizer::unsanitize($user->fields);
return [
'id' => $fields['id'],
......
......@@ -33,6 +33,7 @@
namespace Glpi\ContentTemplates;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
use Twig\Environment;
use Twig\Extension\SandboxExtension;
use Twig\Loader\ArrayLoader;
......@@ -69,7 +70,7 @@ class TemplateManager
): string {
// Unclean input if needed
if ($sanitized_content) {
$content = \Toolbox::unclean_cross_side_scripting_deep($content);
$content = Sanitizer::unsanitize($content);
}
// Init twig
......@@ -99,7 +100,7 @@ class TemplateManager
*/
public static function validate(string $content, bool $sanitized_content = false, ?string &$err_msg = null): bool {
if ($sanitized_content) {
$content = \Toolbox::unclean_cross_side_scripting_deep($content);
$content = Sanitizer::unsanitize($content);
}
$twig = new Environment(new ArrayLoader(['template' => $content]));
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
......@@ -1124,7 +1126,7 @@ final class DbUtils {
// Separator is not encoded in DB, and it could not be changed as this is mandatory to be able to split tree
// correctly even if some tree elements are containing ">" char in their name (this one will be encoded).
$separator = ' > ';
$name = implode(Toolbox::clean_cross_side_scripting_deep($separator), explode($separator, $name));
$name = implode(Sanitizer::sanitize($separator), explode($separator, $name));
if ($tooltip) {
$comment = sprintf(__('%1$s: %2$s')."<br>",
......
......@@ -31,6 +31,7 @@
*/
use Glpi\Event;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -1351,8 +1352,7 @@ class Document extends CommonDBTM {
]);
while ($data = $iterator->next()) {
if (preg_match(Toolbox::unclean_cross_side_scripting_deep($data['ext'])."i",
$ext, $results) > 0) {
if (preg_match(Sanitizer::unsanitize($data['ext'])."i", $ext, $results) > 0) {
return Toolbox::strtoupper($ext);
}
}
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
......@@ -160,7 +162,7 @@ class Dropdown {
}
if (!$item instanceof CommonTreeDropdown) {
$name = Toolbox::unclean_cross_side_scripting_deep($name);
$name = Sanitizer::unsanitize($name);
}
$p = ['value' => $params['value'],
'valuename' => $name,
......@@ -3027,7 +3029,7 @@ class Dropdown {
}
}
$ret['results'] = Toolbox::unclean_cross_side_scripting_deep($datas);
$ret['results'] = Sanitizer::unsanitize($datas);
$ret['count'] = $count;
return ($json === true) ? json_encode($ret) : $ret;
......
......@@ -45,6 +45,7 @@ use DateTimeZone;
use Dropdown;
use Entity;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
use Group_User;
use Html;
use Planning;
......@@ -543,7 +544,7 @@ trait PlanningEvent {
'users_id' => $data["users_id"],
'state' => $data["state"],
'background' => $has_bg ? $data['background'] : false,
'name' => Toolbox::unclean_cross_side_scripting_deep($data['name']), // name is re-encoded on JS side
'name' => Sanitizer::unsanitize($data['name']), // name is re-encoded on JS side
'text' => $data['text'] !== null
? RichText::getSafeHtml($data['text'], true)
: '',
......
......@@ -36,11 +36,11 @@ use CommonITILActor;
use CommonITILObject;
use CommonITILTask;
use CommonITILValidation;
use Glpi\Toolbox\Sanitizer;
use ITILFollowup;
use ITILSolution;
use NotificationEvent;
use SimpleXMLElement;
use Toolbox;
use User;
trait UserMention {
......@@ -179,9 +179,7 @@ trait UserMention {
try {
if ($sanitized) {
$content = Toolbox::stripslashes_deep(
Toolbox::unclean_cross_side_scripting_deep($content)
);
$content = Sanitizer::unsanitize($content, true);
}
libxml_use_internal_errors(true);
$content_as_xml = new SimpleXMLElement('<div>' . $content . '</div>');
......
......@@ -34,6 +34,8 @@ if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
use Glpi\Toolbox\Sanitizer;
/**
* GLPI security key
**/
......@@ -329,6 +331,6 @@ class GLPIKey {
$result .= $char;
}
return Toolbox::unclean_cross_side_scripting_deep($result);
return Sanitizer::unsanitize($result);
}
}
......@@ -30,6 +30,7 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
use ScssPhp\ScssPhp\Compiler;
if (!defined('GLPI_ROOT')) {
......@@ -4255,7 +4256,7 @@ JAVASCRIPT
echo "<tr><th>KEY</th><th>=></th><th>VALUE</th></tr>";
foreach ($tab as $key => $val) {
$key = Toolbox::clean_cross_side_scripting_deep($key);
$key = Sanitizer::sanitize($key);
echo "<tr class='tab_bg_1'><td class='top right'>";
echo $key;
$is_array = is_array($val);
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
define('GLPI_ROOT', dirname(__DIR__));
}
......@@ -70,21 +72,20 @@ if (isset($_POST)) {
if (isset($_POST['_glpi_simple_form'])) {
$_POST = array_map('urldecode', $_POST);
}
$_POST = Toolbox::sanitize($_POST);
$_POST = Sanitizer::sanitize($_POST, true);
}
if (isset($_GET)) {
$_UGET = $_GET; //keep raw, as a workaround
$_GET = Toolbox::sanitize($_GET);
$_GET = Sanitizer::sanitize($_GET, true);
}
if (isset($_REQUEST)) {
$_UREQUEST = $_REQUEST; //keep raw, as a workaround
$_REQUEST = Toolbox::sanitize($_REQUEST);
$_REQUEST = Sanitizer::sanitize($_REQUEST, true);
}
if (isset($_FILES)) {
$_UFILES = $_FILES; //keep raw, as a workaround
foreach ($_FILES as &$file) {
$file['name'] = Toolbox::addslashes_deep($file['name']);
$file['name'] = Toolbox::clean_cross_side_scripting_deep($file['name']);
$file['name'] = Sanitizer::sanitize($file['name'], true);
}
}
unset($file);
......
......@@ -32,6 +32,7 @@
use Glpi\Event;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
......@@ -1290,7 +1291,7 @@ class KnowbaseItem extends CommonDBVisible implements ExtraVisibilityCriteria {
case 'search' :
if (strlen($params["contains"]) > 0) {
$search = Toolbox::unclean_cross_side_scripting_deep($params["contains"]);
$search = Sanitizer::unsanitize($params["contains"]);
$search_wilcard = explode(' ', $search);
$search_wilcard = implode('* ', $search_wilcard).'*';
......
......@@ -34,6 +34,7 @@ if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
use Glpi\Toolbox\Sanitizer;
use Laminas\Mail\Address;
use Laminas\Mail\Header\AbstractAddressList;
use Laminas\Mail\Header\ContentDisposition;
......@@ -1225,7 +1226,7 @@ class MailCollector extends CommonDBTM {
}
}
$tkt = Toolbox::clean_cross_side_scripting_deep(Toolbox::addslashes_deep($tkt));
$tkt = Sanitizer::sanitize($tkt, true);
return $tkt;
}
......@@ -1285,7 +1286,7 @@ class MailCollector extends CommonDBTM {
**/
function cleanSubject($text) {
$text = str_replace("=20", "\n", $text);
$text = Toolbox::clean_cross_side_scripting_deep($text);
$text = Sanitizer::sanitize($text);
return $text;
}
......
......@@ -30,6 +30,8 @@
* ---------------------------------------------------------------------
*/
use Glpi\Toolbox\Sanitizer;
if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
......@@ -86,7 +88,7 @@ class NotificationAjax implements NotificationInterface {
$queue = new QueuedNotification();
if (!$queue->add(Toolbox::sanitize($data))) {
if (!$queue->add(Sanitizer::sanitize($data, true))) {
Session::addMessageAfterRedirect(__('Error inserting browser notification to queue'), true, ERROR);
return false;
} else {
......
<?php
/**
* ---------------------------------------------------------------------
* GLPI - Gestionnaire Libre de Parc Informatique
......@@ -34,6 +35,8 @@ if (!defined('GLPI_ROOT')) {
die("Sorry. You can't access this file directly");
}
use Glpi\Toolbox\Sanitizer;
/**
* NotificationMailing class implements the NotificationInterface
**/
......@@ -156,7 +159,7 @@ class NotificationMailing implements NotificationInterface {
$queue = new QueuedNotification();
if (!$queue->add(Toolbox::sanitize($data))) {
if (!$queue->add(Sanitizer::sanitize($data, true))) {
Session::addMessageAfterRedirect(__('Error inserting email to queue'), true, ERROR);
return false;
} else {
......
......@@ -35,6 +35,7 @@ if (!defined('GLPI_ROOT')) {
}
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
/**
* NotificationTemplate Class
......@@ -260,8 +261,8 @@ class NotificationTemplate extends CommonDBTM {
if ($template_datas = $this->getByLanguage($language)) {
//Template processing
$template_datas = Toolbox::unclean_cross_side_scripting_deep($template_datas);
$data = Toolbox::unclean_cross_side_scripting_deep($data);
$template_datas = Sanitizer::unsanitize($template_datas);
$data = Sanitizer::unsanitize($data);
$lang['subject'] = $target->getSubjectPrefix($event)
. self::process($template_datas['subject'], self::getDataForPlainText($data));
......
......@@ -35,6 +35,7 @@ if (!defined('GLPI_ROOT')) {
}
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
/**
* NotificationTemplateTranslation Class
......@@ -246,17 +247,13 @@ class NotificationTemplateTranslation extends CommonDBChild {
static function cleanContentHtml(array $input) {
// Unsanitize
//
// Using `Toolbox::stripslashes_deep()` on sanitized content will produce "r" and "n" instead of "\r" and \n",
// so newlines have to be removed before calling it.
$txt = str_replace(['\r', '\n'], ' ', $input['content_html']);
$txt = Toolbox::stripslashes_deep(Toolbox::unclean_cross_side_scripting_deep($txt));
$txt = Sanitizer::unsanitize($input['content_html'], true);
// Get as text plain text
$txt = RichText::getTextFromHtml($txt, true);
// Sanitize result
$txt = Toolbox::clean_cross_side_scripting_deep(Toolbox::addslashes_deep($txt));
$txt = Sanitizer::sanitize($txt, true);
if (!$txt) {
// No HTML (nothing to display)
......
......@@ -37,6 +37,7 @@ if (!defined('GLPI_ROOT')) {
use Glpi\CalDAV\Contracts\CalDAVCompatibleItemInterface;
use Glpi\CalDAV\Traits\VobjectConverterTrait;
use Glpi\Toolbox\RichText;
use Glpi\Toolbox\Sanitizer;
use Sabre\VObject\Component\VCalendar;
use Sabre\VObject\Property\FlatText;
use Sabre\VObject\Property\IntegerValue;
......@@ -1790,7 +1791,7 @@ class ProjectTask extends CommonDBChild implements CalDAVCompatibleItemInterface
$interv[$key]["end"] = $data["plan_end_date"];
}
$interv[$key]["name"] = Toolbox::unclean_cross_side_scripting_deep($task->fields["name"]); // name is re-encoded on JS side
$interv[$key]["name"] = Sanitizer::unsanitize($task->fields["name"]); // name is re-encoded on JS side
$interv[$key]["content"] = $task->fields["content"] !== null
? RichText::getSafeHtml($task->fields["content"], true)
: '';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment