Use htmlpurify to show client shared document, Clean up some formatting in guest item view, fixed Invoice and Quote not logging the client who view them this was a regression from the company removal

client_document_details.php

@@ -20,7 +20,6 @@ $row = mysqli_fetch_array($sql_document);
 $folder_name = htmlentities($row['folder_name']);
 $document_name = htmlentities($row['document_name']);
 $document_content = $purifier->purify($row['document_content']);
-//$document_content = $row['document_content'];
 $document_created_at = htmlentities($row['document_created_at']);
 $document_updated_at = htmlentities($row['document_updated_at']);
 $document_folder_id = intval($row['document_folder_id']);

guest_view_invoice.php

@@ -42,6 +42,7 @@ $invoice_note = htmlentities($row['invoice_note']);
 $invoice_category_id = intval($row['invoice_category_id']);
 $client_id = intval($row['client_id']);
 $client_name = htmlentities($row['client_name']);
+$client_name_escaped = sanitizeInput($row['client_name']);
 $location_address = htmlentities($row['location_address']);
 $location_city = htmlentities($row['location_city']);
 $location_state = htmlentities($row['location_state']);
@@ -93,7 +94,7 @@ if ($invoice_status == 'Sent') {
 mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_invoice_id = $invoice_id");
 
 if ($invoice_status !== 'Paid') {
-    $client_name_escaped = sanitizeInput($row['client_name']);
+    //$client_name_escaped = sanitizeInput($row['client_name']);
     mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_client_id = $client_id");
 }
 $sql_payments = mysqli_query($mysqli, "SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payments.payment_id DESC");

guest_view_item.php

@@ -4,7 +4,15 @@ header('Cache-Control: no-store, no-cache, must-revalidate');
 header('Cache-Control: post-check=0, pre-check=0', false);
 header('Pragma: no-cache');
 
-require_once("guest_header.php"); ?>
+require_once("guest_header.php");
+
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
+?>
 
     <br>
     <h1> <?php echo htmlentities($config_app_name); ?> Guest sharing </h1>
@@ -12,7 +20,7 @@ require_once("guest_header.php"); ?>
 
 <?php
 if (!isset($_GET['id']) || !isset($_GET['key'])) {
-    echo "<div class=\"alert alert-danger\" role=\"alert\">Incorrect URL.</div>";
+    echo "<div class='alert alert-danger'>Incorrect URL.</div>";
     include("guest_footer.php");
     exit();
 }
@@ -25,21 +33,21 @@ $row = mysqli_fetch_array($sql);
 
 // Check we got a result
 if (mysqli_num_rows($sql) !== 1 || !$row) {
-    echo "<div class=\"alert alert-danger\" role=\"alert\">No item to view. Check with the person that sent you this link to ensure it is correct and has not expired.</div>";
+    echo "<div class='alert alert-danger' >No item to view. Check with the person that sent you this link to ensure it is correct and has not expired.</div>";
     include("guest_footer.php");
     exit();
 }
 
 // Check item share is active & hasn't been viewed too many times
 if ($row['item_active'] !== "1" || $row['item_views'] >= $row['item_view_limit']) {
-    echo "<div class=\"alert alert-danger\" role=\"alert\">Item cannot be viewed at this time. Check with the person that sent you this link to ensure it is correct and has not expired.</div>";
+    echo "<div class='alert alert-danger'>Item cannot be viewed at this time. Check with the person that sent you this link to ensure it is correct and has not expired.</div>";
     include("guest_footer.php");
     exit();
 }
 
 // If we got here, we have valid information
 
-echo "<div class=\"alert alert-warning\" role=\"alert\">You may only be able to view this information for a limited time! Be sure to copy/download what you need.</div>";
+echo "<div class='alert alert-warning'>You may only be able to view this information for a limited time! Be sure to copy/download what you need.</div>";
 
 $item_type = htmlentities($row['item_type']);
 $item_related_id = intval($row['item_related_id']);
@@ -55,17 +63,18 @@ if ($item_type == "Document") {
     $doc_row = mysqli_fetch_array($doc_sql);
 
     if (mysqli_num_rows($doc_sql) !== 1 || !$doc_row) {
-        echo "<div class=\"alert alert-danger\" role=\"alert\">Error retrieving document to view.</div>";
+        echo "<div class='alert alert-danger'>Error retrieving document to view.</div>";
         require_once("guest_footer.php");
         exit();
     }
 
     $doc_title = htmlentities($doc_row['document_name']);
-    $doc_content = $doc_row['document_content'];
+    $doc_title_escaped = sanitizeInput($doc_row['document_name']);
+    $doc_content = $purifier->purify($row['document_content']);
 
     echo "<h3>A document has been shared with you</h3>";
     if (!empty($item_note)) {
-        echo "<p class=\"lead\">Note: <i>$item_note</i></p>";
+        echo "<p class='lead'>Note: <i>$item_note</i></p>";
     }
     echo "<br>";
     echo "<h2>$doc_title</h2>";
@@ -77,14 +86,14 @@ if ($item_type == "Document") {
 
     // Logging
     $name = mysqli_real_escape_string($mysqli, $doc_title);
-    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type $name via link', log_client_id = $client_id, log_ip = '$ip', log_user_agent = '$user_agent'");
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type $doc_title_escaped via link', log_client_id = $client_id, log_ip = '$ip', log_user_agent = '$user_agent'");
 
 } elseif ($item_type == "File") {
     $file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = $item_related_id AND file_client_id = $client_id LIMIT 1");
     $file_row = mysqli_fetch_array($file_sql);
 
     if (mysqli_num_rows($file_sql) !== 1 || !$file_row) {
-        echo "<div class=\"alert alert-danger\" role=\"alert\">Error retrieving file.</div>";
+        echo "<div class='alert alert-danger'>Error retrieving file.</div>";
         include("guest_footer.php");
         exit();
     }
@@ -93,9 +102,9 @@ if ($item_type == "Document") {
 
     echo "<h3>A file has been shared with you</h3>";
     if (!empty($item_note)) {
-        echo "<p class=\"lead\">Note: <i>$item_note</i></p>";
+        echo "<p class='lead'>Note: <i>$item_note</i></p>";
     }
-    echo "<a href=\"guest_download_file.php?id=$item_id&key=$item_key\" download=\"$file_name;\">Download $file_name</a>";
+    echo "<a href='guest_download_file.php?id=$item_id&key=$item_key' download='$file_name'>Download $file_name</a>";
 
 
 } elseif ($item_type == "Login") {
@@ -104,7 +113,7 @@ if ($item_type == "Document") {
     $login_sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = $item_related_id AND login_client_id = $client_id LIMIT 1");
     $login_row = mysqli_fetch_array($login_sql);
     if (mysqli_num_rows($login_sql) !== 1 || !$login_row) {
-        echo "<div class=\"alert alert-danger\" role=\"alert\">Error retrieving login.</div>";
+        echo "<div class='alert alert-danger'>Error retrieving login.</div>";
         include("guest_footer.php");
         exit();
     }
@@ -114,18 +123,18 @@ if ($item_type == "Document") {
 
     $username_iv = substr($row['item_encrypted_username'], 0, 16);
     $username_ciphertext = substr($row['item_encrypted_username'], 16);
-    $login_username = openssl_decrypt($username_ciphertext, 'aes-128-cbc', $encryption_key, 0, $username_iv);
+    $login_username = htmlentities(openssl_decrypt($username_ciphertext, 'aes-128-cbc', $encryption_key, 0, $username_iv));
 
     $password_iv = substr($row['item_encrypted_credential'], 0, 16);
     $password_ciphertext = substr($row['item_encrypted_credential'], 16);
-    $login_password = openssl_decrypt($password_ciphertext, 'aes-128-cbc', $encryption_key, 0, $password_iv);
+    $login_password = htmlentities(openssl_decrypt($password_ciphertext, 'aes-128-cbc', $encryption_key, 0, $password_iv));
 
-    $login_otp = $login_row['login_otp_secret'];
+    $login_otp = htmlentities($login_row['login_otp_secret']);
     $login_notes = htmlentities($login_row['login_note']);
 
     echo "<h3>A login entry has been shared with you</h3>";
     if (!empty($item_note)) {
-        echo "<p class=\"lead\">Note: <i>$item_note</i></p>";
+        echo "<p class='lead'>Note: <i>$item_note</i></p>";
     }
     echo "<br>";
 

guest_view_quote.php

@@ -42,6 +42,7 @@ $quote_note = htmlentities($row['quote_note']);
 $category_id = intval($row['category_id']);
 $client_id = intval($row['client_id']);
 $client_name = htmlentities($row['client_name']);
+$client_name_escaped = sanitizeInput($row['client_name']);
 $location_address = htmlentities($row['location_address']);
 $location_city = htmlentities($row['location_city']);
 $location_state = htmlentities($row['location_state']);
@@ -86,7 +87,6 @@ if ($quote_status == 'Sent') {
 mysqli_query($mysqli, "INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser', history_quote_id = $quote_id");
 
 if ($quote_status == "Draft" || $quote_status == "Sent" || $quote_status == "Viewed") {
-    $client_name_escaped = sanitizeInput($row['client_name']);
     mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_client_id = $client_id");
 }