Security: Remove "Security::remove_XSS", fix htmleditor get value

Related: 099ec4117e
7 years ago · d9c37bf1f3
parent b3fa8b01b0
commit d9c37bf1f3
3 changed files with 41 additions and 18 deletions
--- a/main/inc/ajax/agenda.ajax.php
+++ b/main/inc/ajax/agenda.ajax.php
@ -1,8 +1,10 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
 * Responses to AJAX calls.
 */
+
 $type = isset($_REQUEST['type']) && in_array($_REQUEST['type'], ['personal', 'course', 'admin']) ? $_REQUEST['type'] : 'personal';

 if ($type == 'personal') {
@ -28,9 +30,9 @@ switch ($action) {
            break;
        }
        $add_as_announcement = isset($_REQUEST['add_as_annonuncement']) ? $_REQUEST['add_as_annonuncement'] : null;
-        $title = isset($_REQUEST['title']) ? Security::remove_XSS($_REQUEST['title']) : null;
-        $content = isset($_REQUEST['content']) ? Security::remove_XSS($_REQUEST['content']) : null;
-        $comment = isset($_REQUEST['comment']) ? Security::remove_XSS($_REQUEST['comment']) : null;
+        $title = isset($_REQUEST['title']) ? $_REQUEST['title'] : null;
+        $content = isset($_REQUEST['content']) ? $_REQUEST['content'] : null;
+        $comment = isset($_REQUEST['comment']) ? $_REQUEST['comment'] : null;
        $userToSend = isset($_REQUEST['users_to_send']) ? $_REQUEST['users_to_send'] : [];

        echo $agenda->addEvent(
--- a/main/inc/lib/formvalidator/Element/HtmlEditor.php
+++ b/main/inc/lib/formvalidator/Element/HtmlEditor.php
@ -31,7 +31,7 @@ class HtmlEditor extends HTML_QuickForm_textarea
        $config = []
    ) {
        if (empty($name)) {
-            return false;
+            throw new \Exception('Name is required');
        }

        parent::__construct($name, $elementLabel, $attributes);
@ -54,9 +54,9 @@ class HtmlEditor extends HTML_QuickForm_textarea
     */
    public function toHtml()
    {
-        $value = Security::remove_XSS($this->getValue());
        if ($this->editor) {
            if ($this->editor->getConfigAttribute('fullPage')) {
+                $value = $this->getValue();
                if (strlen(trim($value)) == 0) {
                    // TODO: To be considered whether here to add
                    // language and character set declarations.
@ -70,10 +70,9 @@ class HtmlEditor extends HTML_QuickForm_textarea
            return $this->getFrozenHtml();
        } else {
            $styleCss = $this->editor->getConfigAttribute('style');
+            $style = false;
            if ($styleCss) {
                $style = true;
-            } else {
-                $style = false;
            }

            return $this->buildEditor($style);
@ -87,7 +86,7 @@ class HtmlEditor extends HTML_QuickForm_textarea
     */
    public function getFrozenHtml()
    {
-        return $this->getValue();
+        return $this->getCleanValue();
    }

    /**
@ -99,9 +98,9 @@ class HtmlEditor extends HTML_QuickForm_textarea
    {
        $result = '';
        if ($this->editor) {
-            $this->editor->value = Security::remove_XSS($this->getValue());
+            $this->editor->value = $this->getCleanValue();
            $this->editor->setName($this->getName());
-            if ($style == true) {
+            if ($style === true) {
                $result = $this->editor->createHtmlStyle();
            } else {
                $result = $this->editor->createHtml();
--- a/main/inc/lib/pear/HTML/QuickForm/element.php
+++ b/main/inc/lib/pear/HTML/QuickForm/element.php
@ -253,12 +253,30 @@ class HTML_QuickForm_element extends HTML_Common
     */
    public function getValue()
    {
-        // interface
        return null;
-    } // end func getValue
+    }

-    // }}}
-    // {{{ freeze()
+    /**
+     * @return string
+     */
+    public function getCleanValue()
+    {
+        $value = $this->cleanValueFromParameter($this->getValue());
+
+        return $value;
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return string
+     */
+    public function cleanValueFromParameter($value)
+    {
+        $value = @htmlspecialchars($value, ENT_COMPAT, HTML_Common::charset());
+
+        return $value;
+    }

    /**
     * Freeze the element so that only its value is returned
@ -302,12 +320,16 @@ class HTML_QuickForm_element extends HTML_Common
        // Modified by Ivan Tcholakov, 16-MAR-2010.
        //return ('' != $value? htmlspecialchars($value): '&nbsp;') .
        //       $this->_getPersistantData();
+        if (!empty($value)) {
+            $value = $this->getCleanValue();
+        } else {
+            $value = '&nbsp;';
+        }
+
+        $value .= $this->_getPersistantData();

-        $value =  ('' != $value ? @htmlspecialchars($value, ENT_COMPAT, HTML_Common::charset()): '&nbsp;') .
-               $this->_getPersistantData();
        return '<span class="freeze">'.$value.'</span>';
-        //
-    } //end func getFrozenHtml
+    }

   /**
    * Used by getFrozenHtml() to pass the element's value if _persistantFreeze is on