Add StringFilter to sanitize any external input

technicalguru · technicalguru · commit ec2082755d4e · 2023-01-29T09:43:34.000Z
diff --git a/src/WebApp/Component/I18nFormElement.php b/src/WebApp/Component/I18nFormElement.php
@@ -50,11 +50,11 @@ public function getError($languageKey = NULL) {
 		return isset($this->errors[$languageKey]) ? I18N::_($this->errors[$languageKey]) : NULL;
 	}
 
-	public static function getPostValues($name, $languages) {
+	public static function getPostValues($name, $languages, $filter = NULL) {
 		$rc = array();
 		$request = \TgUtils\Request::getRequest();
 		foreach ($languages AS $key => $label) {
-			$rc[$key] = $request->getPostParam($name.'-'.$key);
+			$rc[$key] = $request->getPostParam($name.'-'.$key, NULL, $filter);
 			if ($rc[$key] != NULL) $rc[$key] = trim($rc[$key]);
 		}
 		return $rc;
diff --git a/src/WebApp/RestPage.php b/src/WebApp/RestPage.php
@@ -5,6 +5,7 @@
 use TgLog\Log;
 use TgLog\Error;
 use WebApp\Component\Alert;
+use TgUtils\StringFilters;
 
 class RestPage extends Page {
 
@@ -110,10 +111,18 @@ protected function getJsonBody() {
 		return $this->jsonBody;
 	}
 
-	protected function getJsonParam($key, $default = NULL) {
+	/**
+	 * Returns the JSON parameter with the given key.
+	 * @param string $key - the object attribute of root JSON object
+	 * @param mixed  $default - the default value if not available
+	 * @param StringFilter $filter - the filter to apply for the param (NULL will mean NOHTML)
+	 * @return the filtered value or default value.
+	 */
+	protected function getJsonParam($key, $default = NULL, $filter = NULL) {
 		$obj = $this->getJsonBody();
 		if (!isset($obj->$key)) return $default;
-		return $obj->$key;
+		if ($filter == NULL) $filter = StringFilters::$NO_HTML;
+		return $filter->filter($obj->$key);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -50,11 +50,11 @@ public function getError($languageKey = NULL) {`
`50`	`50`	`return isset($this->errors[$languageKey]) ? I18N::_($this->errors[$languageKey]) : NULL;`
`51`	`51`	`}`
`52`	`52`
`53`		`- public static function getPostValues($name, $languages) {`
	`53`	`+ public static function getPostValues($name, $languages, $filter = NULL) {`
`54`	`54`	`$rc = array();`
`55`	`55`	`$request = \TgUtils\Request::getRequest();`
`56`	`56`	`foreach ($languages AS $key => $label) {`
`57`		`- $rc[$key] = $request->getPostParam($name.'-'.$key);`
	`57`	`+ $rc[$key] = $request->getPostParam($name.'-'.$key, NULL, $filter);`
`58`	`58`	`if ($rc[$key] != NULL) $rc[$key] = trim($rc[$key]);`
`59`	`59`	`}`
`60`	`60`	`return $rc;`