AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-06 13:54:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #347 from wrongecho/html-purifier

Browse Source 
Filter dangerous html tags out of ticket & documents using HTML Purifier
This commit is contained in:
Johnny
2022-02-05 18:54:01 -05:00
committed by GitHub
parent 45a4e981a3 2b39ea3bd6
commit 4068d604f4
2 changed files with 53 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
client_document_add_modal.php
View File

@@ -16,7 +16,6 @@
</div> </div>
<?php <?php
if($document_tags) { if($document_tags) {
foreach($document_tags as $document_tag) {
?> ?>
<!-- Document Tags select start --> <!-- Document Tags select start -->
<div class="form-group"> <div class="form-group">
@@ -25,6 +24,9 @@
<span class="fa fa-fw fa-tag"></span> <span class="caret"></span> <span class="fa fa-fw fa-tag"></span> <span class="caret"></span>
</button> </button>
<ul class="dropdown-menu"> <ul class="dropdown-menu">
<?php
foreach($document_tags as $document_tag) {
?>
<li> <li>
<div class="form-check"> <div class="form-check">
<label> <label>
@@ -32,12 +34,14 @@
</label> </label>
</div> </div>
</li> </li>
<?php
}
?>
</ul> </ul>
</div> </div>
</div> </div>
<!-- Document tags select end --> <!-- Document tags select end -->
<?php <?php
}
} }
?> ?>

64
post.php
View File

@@ -5205,9 +5205,9 @@ if(isset($_GET['export_client_domains_csv'])){
} }
if(isset($_POST['add_ticket'])){ if(isset($_POST['add_ticket'])){
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
// Initiate HTML Purifier // HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config); $purifier = new HTMLPurifier($purifier_config);
@@ -5216,8 +5216,7 @@ if(isset($_POST['add_ticket'])){
$contact = intval($_POST['contact']); $contact = intval($_POST['contact']);
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority']))); $priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
$dirty_details = mysqli_real_escape_string($mysqli,$_POST['details']); $details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['details']))));
$details = $purifier->purify($dirty_details);
$asset_id = intval($_POST['asset']); $asset_id = intval($_POST['asset']);
if($client_id > 0 AND $contact == 0){ if($client_id > 0 AND $contact == 0){
@@ -5243,11 +5242,17 @@ if(isset($_POST['add_ticket'])){
} }
if(isset($_POST['add_scheduled_ticket'])){ if(isset($_POST['add_scheduled_ticket'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$client_id = intval($_POST['client']); $client_id = intval($_POST['client']);
$contact = intval($_POST['contact']); $contact = intval($_POST['contact']);
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority']))); $priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
$details = trim(mysqli_real_escape_string($mysqli,$_POST['details'])); $details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['details']))));
$asset_id = intval($_POST['asset']); $asset_id = intval($_POST['asset']);
$frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']))); $frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency'])));
$start_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['start_date']))); $start_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['start_date'])));
@@ -5271,11 +5276,17 @@ if(isset($_POST['add_scheduled_ticket'])){
} }
if(isset($_POST['edit_scheduled_ticket'])){ if(isset($_POST['edit_scheduled_ticket'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$ticket_id = intval($_POST['ticket_id']); $ticket_id = intval($_POST['ticket_id']);
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority']))); $priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
$details = trim(mysqli_real_escape_string($mysqli,$_POST['details'])); $details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['details']))));
$asset_id = intval($_POST['asset']); $asset_id = intval($_POST['asset']);
$frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency']))); $frequency = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['frequency'])));
$next_run_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['next_date']))); $next_run_date = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['next_date'])));
@@ -5308,12 +5319,17 @@ if(isset($_GET['delete_scheduled_ticket'])){
if(isset($_POST['edit_ticket'])){ if(isset($_POST['edit_ticket'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$ticket_id = intval($_POST['ticket_id']); $ticket_id = intval($_POST['ticket_id']);
$assigned_to = intval($_POST['assigned_to']); $assigned_to = intval($_POST['assigned_to']);
$contact_id = intval($_POST['contact']); $contact_id = intval($_POST['contact']);
$subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject']))); $subject = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['subject'])));
$priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority']))); $priority = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['priority'])));
$details = trim(mysqli_real_escape_string($mysqli,$_POST['details'])); $details = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['details']))));
$asset_id = intval($_POST['asset']); $asset_id = intval($_POST['asset']);
mysqli_query($mysqli,"UPDATE tickets SET ticket_subject = '$subject', ticket_priority = '$priority', ticket_details = '$details', ticket_updated_at = NOW(), ticket_assigned_to = $assigned_to, ticket_contact_id = $contact_id, ticket_asset_id = $asset_id WHERE ticket_id = $ticket_id AND company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE tickets SET ticket_subject = '$subject', ticket_priority = '$priority', ticket_details = '$details', ticket_updated_at = NOW(), ticket_assigned_to = $assigned_to, ticket_contact_id = $contact_id, ticket_asset_id = $asset_id WHERE ticket_id = $ticket_id AND company_id = $session_company_id");
@@ -5360,17 +5376,16 @@ if(isset($_GET['delete_ticket'])){
} }
if(isset($_POST['add_ticket_reply'])){ if(isset($_POST['add_ticket_reply'])){
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
// Initiate HTML Purifier // HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault(); $purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config); $purifier = new HTMLPurifier($purifier_config);
$ticket_id = intval($_POST['ticket_id']); $ticket_id = intval($_POST['ticket_id']);
$dirty = trim(mysqli_real_escape_string($mysqli,$_POST['ticket_reply'])); $ticket_reply = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['ticket_reply']))));
$ticket_reply = $purifier->purify($dirty); $ticket_status = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['status'])));
$ticket_status = trim(mysqli_real_escape_string($mysqli,$_POST['status'])); $ticket_reply_time_worked = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['time'])));
$ticket_reply_time_worked = trim(mysqli_real_escape_string($mysqli,$_POST['time']));
if(isset($_POST['public_reply_type'])){ if(isset($_POST['public_reply_type'])){
$ticket_reply_type = 'Public'; $ticket_reply_type = 'Public';
@@ -5445,8 +5460,13 @@ if(isset($_POST['add_ticket_reply'])){
if(isset($_POST['edit_ticket_reply'])){ if(isset($_POST['edit_ticket_reply'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$ticket_reply_id = intval($_POST['ticket_reply_id']); $ticket_reply_id = intval($_POST['ticket_reply_id']);
$ticket_reply = trim(mysqli_real_escape_string($mysqli,$_POST['ticket_reply'])); $ticket_reply = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['ticket_reply']))));
mysqli_query($mysqli,"UPDATE ticket_replies SET ticket_reply = '$ticket_reply', ticket_reply_updated_at = NOW() WHERE ticket_reply_id = $ticket_reply_id AND company_id = $session_company_id") or die(mysqli_error($mysqli)); mysqli_query($mysqli,"UPDATE ticket_replies SET ticket_reply = '$ticket_reply', ticket_reply_updated_at = NOW() WHERE ticket_reply_id = $ticket_reply_id AND company_id = $session_company_id") or die(mysqli_error($mysqli));
@@ -5494,7 +5514,7 @@ if(isset($_GET['merge_ticket_get_json_details'])){
if(isset($_POST['merge_ticket'])){ if(isset($_POST['merge_ticket'])){
$ticket_id = intval($_POST['ticket_id']); $ticket_id = intval($_POST['ticket_id']);
$merge_into_ticket_number = intval($_POST['merge_into_ticket_number']); $merge_into_ticket_number = intval($_POST['merge_into_ticket_number']);
$merge_comment = trim(mysqli_real_escape_string($mysqli,$_POST['merge_comment'])); $merge_comment = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['merge_comment'])));
$ticket_reply_type = 'Internal'; $ticket_reply_type = 'Internal';
//Get current ticket details //Get current ticket details
@@ -5878,10 +5898,15 @@ if(isset($_GET['delete_file'])){
if(isset($_POST['add_document'])){ if(isset($_POST['add_document'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$client_id = intval($_POST['client_id']); $client_id = intval($_POST['client_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$tags_ids = $_POST['tags_ids']; $tags_ids = $_POST['tags_ids'];
$content = trim(mysqli_real_escape_string($mysqli,$_POST['content'])); $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content']))));
// Document add query // Document add query
$add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_content = '$content', document_created_at = NOW(), document_client_id = $client_id, company_id = $session_company_id"); $add_document = mysqli_query($mysqli,"INSERT INTO documents SET document_name = '$name', document_content = '$content', document_created_at = NOW(), document_client_id = $client_id, company_id = $session_company_id");
@@ -5905,10 +5930,15 @@ if(isset($_POST['add_document'])){
if(isset($_POST['edit_document'])){ if(isset($_POST['edit_document'])){
// HTML Purifier
require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
$purifier_config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($purifier_config);
$document_id = intval($_POST['document_id']); $document_id = intval($_POST['document_id']);
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$tags_ids = $_POST['tags_ids']; $tags_ids = $_POST['tags_ids'];
$content = trim(mysqli_real_escape_string($mysqli,$_POST['content'])); $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content']))));
// Document edit query // Document edit query
mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_content = '$content', document_updated_at = NOW() WHERE document_id = $document_id AND company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE documents SET document_name = '$name', document_content = '$content', document_updated_at = NOW() WHERE document_id = $document_id AND company_id = $session_company_id");