Used HTMLPUrify to Purify the output of Tickets, Documents, Document Templates. Removed Redundant htmlentities in edit document edit ticket etc, Removed Company ID from Document Template Details

2023-03-11 21:24:35 -05:00 · 2023-03-11 21:24:35 -05:00 · b5ae7b3d86
parent 00b9391de4
commit b5ae7b3d86
8 changed files with 30 additions and 9 deletions
--- a/client_document_details.php
+++ b/client_document_details.php
@ -2,6 +2,12 @@

 require_once("inc_all_client.php");

+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['document_id'])) {
 	$document_id = intval($_GET['document_id']);
 }
@ -13,7 +19,8 @@ $row = mysqli_fetch_array($sql_document);

 $folder_name = htmlentities($row['folder_name']);
 $document_name = htmlentities($row['document_name']);
-$document_content = $row['document_content'];
+$document_content = $purifier->purify(html_entity_decode($row['document_content']));
+//$document_content = $row['document_content'];
 $document_created_at = htmlentities($row['document_created_at']);
 $document_updated_at = htmlentities($row['document_updated_at']);
 $document_folder_id = intval($row['document_folder_id']);
--- a/client_document_edit_modal.php
+++ b/client_document_edit_modal.php
@ -17,7 +17,7 @@
                    </div>

                    <div class="form-group">
-                        <textarea class="form-control summernote" name="content"><?php echo htmlentities($document_content); ?></textarea>
+                        <textarea class="form-control summernote" name="content"><?php echo $document_content; ?></textarea>
                    </div>

                    <div class="form-group">
--- a/client_document_template_details.php
+++ b/client_document_template_details.php
@ -2,18 +2,23 @@

 require_once("inc_all_client.php");

+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);

 if (isset($_GET['document_id'])) {
 	$document_id = intval($_GET['document_id']);
 }

-
-$sql_document = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_template = 1 AND document_id = $document_id AND documents.company_id = $session_company_id");
+$sql_document = mysqli_query($mysqli, "SELECT * FROM documents WHERE document_template = 1 AND document_id = $document_id");

 $row = mysqli_fetch_array($sql_document);

 $document_name = htmlentities($row['document_name']);
-$document_content = $row['document_content'];
+$document_content = $purifier->purify(html_entity_decode($row['document_content']));
+//$document_content = $row['document_content'];
 $document_created_at = htmlentities($row['document_created_at']);
 $document_updated_at = htmlentities($row['document_updated_at']);

--- a/client_document_template_edit_modal.php
+++ b/client_document_template_edit_modal.php
@ -16,7 +16,7 @@
                    </div>

                    <div class="form-group">
-                        <textarea class="form-control summernote" name="content"><?php echo htmlentities($document_content); ?></textarea>
+                        <textarea class="form-control summernote" name="content"><?php echo $document_content; ?></textarea>
                    </div>

                </div>
--- a/client_tickets.php
+++ b/client_tickets.php
@ -82,7 +82,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                    $ticket_prefix = htmlentities($row['ticket_prefix']);
                    $ticket_number = htmlentities($row['ticket_number']);
                    $ticket_subject = htmlentities($row['ticket_subject']);
-                    $ticket_details = $row['ticket_details'];
+                    $ticket_details = htmlentities($row['ticket_details']);
                    $ticket_priority = htmlentities($row['ticket_priority']);
                    $ticket_status = htmlentities($row['ticket_status']);
                    $ticket_created_at = htmlentities($row['ticket_created_at']);
--- a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
+++ b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
--- a/post.php
+++ b/post.php
@ -7286,6 +7286,7 @@ if(isset($_POST['add_document'])){
    $client_id = intval($_POST['client_id']);
    $name = sanitizeInput($_POST['name']);
    $content = trim(mysqli_real_escape_string($mysqli,$purifier->purify(html_entity_decode($_POST['content']))));
+
    $content_raw = sanitizeInput($_POST['name'] . " " . str_replace("<", " <", $_POST['content']));
    // Content Raw is used for FULL INDEX searching. Adding a space before HTML tags to allow spaces between newlines, bulletpoints, etc. for searching.

--- a/ticket.php
+++ b/ticket.php
@ -1,6 +1,12 @@
 <?php
 require_once("inc_all.php");

+//Initialize the HTML Purifier to prevent XSS
+require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['ticket_id'])) {
    $ticket_id = intval($_GET['ticket_id']);

@ -38,7 +44,8 @@ if (isset($_GET['ticket_id'])) {
        $ticket_number = intval($row['ticket_number']);
        $ticket_category = htmlentities($row['ticket_category']);
        $ticket_subject = htmlentities($row['ticket_subject']);
-        $ticket_details = $row['ticket_details'];
+        $ticket_details = $purifier->purify(html_entity_decode($row['ticket_details']));
+        //$ticket_details = $row['ticket_details'];
        $ticket_priority = htmlentities($row['ticket_priority']);
        //Set Ticket Bage Color based of priority
        if ($ticket_priority == "High") {
@ -313,7 +320,8 @@ if (isset($_GET['ticket_id'])) {

                while ($row = mysqli_fetch_array($sql_ticket_replies)) {
                    $ticket_reply_id = intval($row['ticket_reply_id']);
-                    $ticket_reply = $row['ticket_reply'];
+                    $ticket_reply = $purifier->purify(html_entity_decode($row['ticket_reply']));
+                    //$ticket_reply = $row['ticket_reply'];
                    $ticket_reply_type = htmlentities($row['ticket_reply_type']);
                    $ticket_reply_created_at = htmlentities($row['ticket_reply_created_at']);
                    $ticket_reply_updated_at = htmlentities($row['ticket_reply_updated_at']);