diff --git a/client_document_details.php b/client_document_details.php
index dd40be0a..d37fc951 100644
--- a/client_document_details.php
+++ b/client_document_details.php
@@ -20,7 +20,6 @@ $row = mysqli_fetch_array($sql_document);
$folder_name = htmlentities($row['folder_name']);
$document_name = htmlentities($row['document_name']);
$document_content = $purifier->purify($row['document_content']);
-//$document_content = $row['document_content'];
$document_created_at = htmlentities($row['document_created_at']);
$document_updated_at = htmlentities($row['document_updated_at']);
$document_folder_id = intval($row['document_folder_id']);
diff --git a/guest_view_invoice.php b/guest_view_invoice.php
index 649c668b..0fe8a96b 100644
--- a/guest_view_invoice.php
+++ b/guest_view_invoice.php
@@ -42,6 +42,7 @@ $invoice_note = htmlentities($row['invoice_note']);
$invoice_category_id = intval($row['invoice_category_id']);
$client_id = intval($row['client_id']);
$client_name = htmlentities($row['client_name']);
+$client_name_escaped = sanitizeInput($row['client_name']);
$location_address = htmlentities($row['location_address']);
$location_city = htmlentities($row['location_city']);
$location_state = htmlentities($row['location_state']);
@@ -93,7 +94,7 @@ if ($invoice_status == 'Sent') {
mysqli_query($mysqli, "INSERT INTO history SET history_status = '$invoice_status', history_description = 'Invoice viewed - $ip - $os - $browser', history_invoice_id = $invoice_id");
if ($invoice_status !== 'Paid') {
- $client_name_escaped = sanitizeInput($row['client_name']);
+ //$client_name_escaped = sanitizeInput($row['client_name']);
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Invoice Viewed', notification = 'Invoice $invoice_prefix$invoice_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_client_id = $client_id");
}
$sql_payments = mysqli_query($mysqli, "SELECT * FROM payments, accounts WHERE payment_account_id = account_id AND payment_invoice_id = $invoice_id ORDER BY payments.payment_id DESC");
diff --git a/guest_view_item.php b/guest_view_item.php
index 50380c58..8f7d10bb 100644
--- a/guest_view_item.php
+++ b/guest_view_item.php
@@ -4,7 +4,15 @@ header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);
header('Pragma: no-cache');
-require_once("guest_header.php"); ?>
+require_once("guest_header.php");
+
+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
+?>
Guest sharing
@@ -12,7 +20,7 @@ require_once("guest_header.php"); ?>
Incorrect URL.";
+ echo "Incorrect URL.
";
include("guest_footer.php");
exit();
}
@@ -25,21 +33,21 @@ $row = mysqli_fetch_array($sql);
// Check we got a result
if (mysqli_num_rows($sql) !== 1 || !$row) {
- echo "No item to view. Check with the person that sent you this link to ensure it is correct and has not expired.
";
+ echo "No item to view. Check with the person that sent you this link to ensure it is correct and has not expired.
";
include("guest_footer.php");
exit();
}
// Check item share is active & hasn't been viewed too many times
if ($row['item_active'] !== "1" || $row['item_views'] >= $row['item_view_limit']) {
- echo "Item cannot be viewed at this time. Check with the person that sent you this link to ensure it is correct and has not expired.
";
+ echo "Item cannot be viewed at this time. Check with the person that sent you this link to ensure it is correct and has not expired.
";
include("guest_footer.php");
exit();
}
// If we got here, we have valid information
-echo "You may only be able to view this information for a limited time! Be sure to copy/download what you need.
";
+echo "You may only be able to view this information for a limited time! Be sure to copy/download what you need.
";
$item_type = htmlentities($row['item_type']);
$item_related_id = intval($row['item_related_id']);
@@ -55,17 +63,18 @@ if ($item_type == "Document") {
$doc_row = mysqli_fetch_array($doc_sql);
if (mysqli_num_rows($doc_sql) !== 1 || !$doc_row) {
- echo "Error retrieving document to view.
";
+ echo "Error retrieving document to view.
";
require_once("guest_footer.php");
exit();
}
$doc_title = htmlentities($doc_row['document_name']);
- $doc_content = $doc_row['document_content'];
+ $doc_title_escaped = sanitizeInput($doc_row['document_name']);
+ $doc_content = $purifier->purify($row['document_content']);
echo "A document has been shared with you
";
if (!empty($item_note)) {
- echo "Note: $item_note
";
+ echo "Note: $item_note
";
}
echo "
";
echo "$doc_title
";
@@ -77,14 +86,14 @@ if ($item_type == "Document") {
// Logging
$name = mysqli_real_escape_string($mysqli, $doc_title);
- mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type $name via link', log_client_id = $client_id, log_ip = '$ip', log_user_agent = '$user_agent'");
+ mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Sharing', log_action = 'View', log_description = 'Viewed shared $item_type $doc_title_escaped via link', log_client_id = $client_id, log_ip = '$ip', log_user_agent = '$user_agent'");
} elseif ($item_type == "File") {
$file_sql = mysqli_query($mysqli, "SELECT * FROM files WHERE file_id = $item_related_id AND file_client_id = $client_id LIMIT 1");
$file_row = mysqli_fetch_array($file_sql);
if (mysqli_num_rows($file_sql) !== 1 || !$file_row) {
- echo "Error retrieving file.
";
+ echo "Error retrieving file.
";
include("guest_footer.php");
exit();
}
@@ -93,9 +102,9 @@ if ($item_type == "Document") {
echo "A file has been shared with you
";
if (!empty($item_note)) {
- echo "Note: $item_note
";
+ echo "Note: $item_note
";
}
- echo "Download $file_name";
+ echo "Download $file_name";
} elseif ($item_type == "Login") {
@@ -104,7 +113,7 @@ if ($item_type == "Document") {
$login_sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = $item_related_id AND login_client_id = $client_id LIMIT 1");
$login_row = mysqli_fetch_array($login_sql);
if (mysqli_num_rows($login_sql) !== 1 || !$login_row) {
- echo "Error retrieving login.
";
+ echo "Error retrieving login.
";
include("guest_footer.php");
exit();
}
@@ -114,18 +123,18 @@ if ($item_type == "Document") {
$username_iv = substr($row['item_encrypted_username'], 0, 16);
$username_ciphertext = substr($row['item_encrypted_username'], 16);
- $login_username = openssl_decrypt($username_ciphertext, 'aes-128-cbc', $encryption_key, 0, $username_iv);
+ $login_username = htmlentities(openssl_decrypt($username_ciphertext, 'aes-128-cbc', $encryption_key, 0, $username_iv));
$password_iv = substr($row['item_encrypted_credential'], 0, 16);
$password_ciphertext = substr($row['item_encrypted_credential'], 16);
- $login_password = openssl_decrypt($password_ciphertext, 'aes-128-cbc', $encryption_key, 0, $password_iv);
+ $login_password = htmlentities(openssl_decrypt($password_ciphertext, 'aes-128-cbc', $encryption_key, 0, $password_iv));
- $login_otp = $login_row['login_otp_secret'];
+ $login_otp = htmlentities($login_row['login_otp_secret']);
$login_notes = htmlentities($login_row['login_note']);
echo "A login entry has been shared with you
";
if (!empty($item_note)) {
- echo "Note: $item_note
";
+ echo "Note: $item_note
";
}
echo "
";
diff --git a/guest_view_quote.php b/guest_view_quote.php
index 1944509c..c2fcf525 100644
--- a/guest_view_quote.php
+++ b/guest_view_quote.php
@@ -42,6 +42,7 @@ $quote_note = htmlentities($row['quote_note']);
$category_id = intval($row['category_id']);
$client_id = intval($row['client_id']);
$client_name = htmlentities($row['client_name']);
+$client_name_escaped = sanitizeInput($row['client_name']);
$location_address = htmlentities($row['location_address']);
$location_city = htmlentities($row['location_city']);
$location_state = htmlentities($row['location_state']);
@@ -86,7 +87,6 @@ if ($quote_status == 'Sent') {
mysqli_query($mysqli, "INSERT INTO history SET history_status = '$quote_status', history_description = 'Quote viewed - $ip - $os - $browser', history_quote_id = $quote_id");
if ($quote_status == "Draft" || $quote_status == "Sent" || $quote_status == "Viewed") {
- $client_name_escaped = sanitizeInput($row['client_name']);
mysqli_query($mysqli, "INSERT INTO notifications SET notification_type = 'Quote Viewed', notification = 'Quote $quote_prefix$quote_number has been viewed by $client_name_escaped - $ip - $os - $browser', notification_client_id = $client_id");
}