Rework htmlpurify function in client portal to properly santizie the output instead of the input Fix broken client avatar in client portal

2023-03-12 10:48:45 -04:00 · 2023-03-12 10:48:45 -04:00 · d37c3f0251
parent c9143ec3c0
commit d37c3f0251
4 changed files with 14 additions and 19 deletions
--- a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
+++ b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/CSS/4.15.0,4114918a13a428a8482a8a449792a5a8747582b5,1.ser
--- a/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.15.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser
+++ b/plugins/htmlpurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/URI/4.15.0,b359e061fc6632c745df51b43504cb541c9339de,1.ser
--- a/portal/portal_post.php
+++ b/portal/portal_post.php
@ -11,19 +11,13 @@ if (isset($_POST['add_ticket'])) {
    // Get ticket prefix/number
    $sql_settings = mysqli_query($mysqli, "SELECT * FROM settings WHERE company_id = 1");
    $row = mysqli_fetch_array($sql_settings);
-    $config_ticket_prefix = $row['config_ticket_prefix'];
+    $config_ticket_prefix = santizeInput($row['config_ticket_prefix']);
    $config_ticket_next_number = intval($row['config_ticket_next_number']);

-    // HTML Purifier
-    require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
-    $purifier_config = HTMLPurifier_Config::createDefault();
-    $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
-    $purifier = new HTMLPurifier($purifier_config);
-
    $client_id = intval($session_client_id);
    $contact = intval($session_contact_id);
    $subject = sanitizeInput($_POST['subject']);
-    $details = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['details'])))));
+    $details = mysqli_real_escape_string($mysqli,($_POST['details']));

    // Ensure priority is low/med/high (as can be user defined)
    if ($_POST['priority'] !== "Low" && $_POST['priority'] !== "Medium" && $_POST['priority'] !== "High") {
@ -48,18 +42,13 @@ if (isset($_POST['add_ticket'])) {
 }

 if (isset($_POST['add_ticket_comment'])) {
-    // HTML Purifier
-    require_once("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
-    $purifier_config = HTMLPurifier_Config::createDefault();
-    $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
-    $purifier = new HTMLPurifier($purifier_config);

    $ticket_id = intval($_POST['ticket_id']);

    // Not currently providing the client portal with a full summer note editor, but need to maintain line breaks.
    // In order to maintain line breaks consistently with the agent side, we need to allow HTML tags.
    // So, we need to convert line breaks to HTML and clean HTML with HTML Purifier
-    $comment = trim(mysqli_real_escape_string($mysqli, $purifier->purify(html_entity_decode(nl2br($_POST['comment'])))));
+    $comment = mysqli_real_escape_string($mysqli, $_POST['comment']);

    // After stripping bad HTML, check the comment isn't just empty
    if (empty($comment)) {
--- a/portal/ticket.php
+++ b/portal/ticket.php
@ -6,6 +6,12 @@

 require_once("inc_portal.php");

+//Initialize the HTML Purifier to prevent XSS
+require("../plugins/htmlpurifier/HTMLPurifier.standalone.php");
+$purifier_config = HTMLPurifier_Config::createDefault();
+$purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
+$purifier = new HTMLPurifier($purifier_config);
+
 if (isset($_GET['id']) && intval($_GET['id'])) {
    $ticket_id = intval($_GET['id']);

@ -24,7 +30,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
        $ticket_status = htmlentities($ticket_row['ticket_status']);
        $ticket_priority = htmlentities($ticket_row['ticket_priority']);
        $ticket_subject = htmlentities($ticket_row['ticket_subject']);
-        $ticket_details = $ticket_row['ticket_details'];
+        $ticket_details = $purifier->purify($ticket_row['ticket_details']);
        $ticket_feedback = htmlentities($ticket_row['ticket_feedback']);

        ?>
@ -111,9 +117,9 @@ if (isset($_GET['id']) && intval($_GET['id'])) {

        while ($row = mysqli_fetch_array($sql)) {
            $ticket_reply_id = intval($row['ticket_reply_id']);
-            $ticket_reply = $row['ticket_reply'];
-            $ticket_reply_created_at = $row['ticket_reply_created_at'];
-            $ticket_reply_updated_at = $row['ticket_reply_updated_at'];
+            $ticket_reply = $purifier->purify($row['ticket_reply']);
+            $ticket_reply_created_at = htmlentities($row['ticket_reply_created_at']);
+            $ticket_reply_updated_at = htmlentities($row['ticket_reply_updated_at']);
            $ticket_reply_by = intval($row['ticket_reply_by']);
            $ticket_reply_type = $row['ticket_reply_type'];

@ -121,7 +127,7 @@ if (isset($_GET['id']) && intval($_GET['id'])) {
                $ticket_reply_by_display = htmlentities($row['contact_name']);
                $user_initials = initials($row['contact_name']);
                $user_avatar = $row['contact_photo'];
-                $avatar_link = "../uploads/clients/$session_company_id/$session_client_id/$user_avatar";
+                $avatar_link = "../uploads/clients/$session_client_id/$user_avatar";
            } else {
                $ticket_reply_by_display = htmlentities($row['user_name']);
                $user_id = intval($row['user_id']);