Commit 1a6dc3bc authored by Malcolm Blaney's avatar Malcolm Blaney

Added HTMLPurifier to check content from ckeditor. Improved

use of htmlspecialchars where html input not expected. Improved
PlainContent function found in modules where main purpose is to
update content. Lots of small formatting fixes.
parent 8b118649
......@@ -406,13 +406,6 @@ class Cart extends Base {
public function Update() {
// This is called when the version of the module is updated,
// to provide a way to update or modify tables etc..
$mysqli = connect_db();
$query = 'ALTER TABLE cart_method ADD fee DECIMAL(8,2) AFTER '.
'gateway_password';
if (!$mysqli->query($query)) {
$this->Log("Cart->Update: ".$mysqli->error);
}
$mysqli->close();
}
public function UpdateScript($path) {
......@@ -445,14 +438,15 @@ class Cart extends Base {
private function Checkout() {
$object = array();
$mysqli = connect_db();
$first = $mysqli->escape_string($_POST["first"]);
$last = $mysqli->escape_string($_POST["last"]);
$email = $mysqli->escape_string($_POST["email"]);
$address = $mysqli->escape_string($_POST["address"]);
$city = $mysqli->escape_string($_POST["city"]);
$postcode = $mysqli->escape_string($_POST["postcode"]);
$state = $mysqli->escape_string($_POST["state"]);
$country = $mysqli->escape_string($_POST["country"]);
// Do htmlspecialchars first so that quotes don't need escaping.
$first = $mysqli->escape_string(htmlspecialchars($_POST["first"]));
$last = $mysqli->escape_string(htmlspecialchars($_POST["last"]));
$email = $mysqli->escape_string(htmlspecialchars($_POST["email"]));
$address = $mysqli->escape_string(htmlspecialchars($_POST["address"]));
$city = $mysqli->escape_string(htmlspecialchars($_POST["city"]));
$postcode = $mysqli->escape_string(htmlspecialchars($_POST["postcode"]));
$state = $mysqli->escape_string(htmlspecialchars($_POST["state"]));
$country = $mysqli->escape_string(htmlspecialchars($_POST["country"]));
// Look for shipping rules that match the given locations.
$rules = $this->ShippingRules($city, $state, $country);
......@@ -948,11 +942,16 @@ class Cart extends Base {
}
private function SaveItem() {
include "library/HTMLPurifier.auto.php";
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$us_full = $purifier->purify($_POST["full"]);
$mysqli = connect_db();
$name = $mysqli->escape_string($_POST["name"]);
$name = $mysqli->escape_string(htmlspecialchars($_POST["name"]));
$image = $mysqli->escape_string($_POST["image"]);
$short = $mysqli->escape_string($_POST["short"]);
$full = $mysqli->escape_string($_POST["full"]);
$short = $mysqli->escape_string(htmlspecialchars($_POST["short"]));
$full = $mysqli->escape_string($us_full);
$weight = (float)$mysqli->escape_string($_POST["weight"]);
$weight = number_format($weight, 2, ".", "");
$price = (float)$mysqli->escape_string($_POST["price"]);
......
......@@ -220,39 +220,7 @@ class Comment extends Base {
}
public function Update() {
$mysqli = connect_db();
$query = 'ALTER TABLE comment DROP COLUMN comment_id';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 1: ".$mysqli->error);
}
$query = 'ALTER TABLE comment ADD COLUMN title VARCHAR(180) AFTER url';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 2: ".$mysqli->error);
}
$query = 'ALTER TABLE comment CHANGE COLUMN content description TEXT';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 3: ".$mysqli->error);
}
$query = 'ALTER TABLE comment CHANGE COLUMN name author VARCHAR(50) '.
'AFTER description';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 4: ".$mysqli->error);
}
$query = 'ALTER TABLE comment ADD COLUMN category VARCHAR(200) '.
'AFTER author';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 5: ".$mysqli->error);
}
$query = 'ALTER TABLE comment ADD COLUMN enclosure TEXT AFTER category';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 6: ".$mysqli->error);
}
$query = 'ALTER TABLE comment ADD COLUMN permalink VARCHAR(200) '.
'AFTER enclosure';
if (!$mysqli->query($query)) {
$this->Log("Comment->Update 7: ".$mysqli->error);
}
$mysqli->close();
}
public function UpdateScript($path) {
......
......@@ -91,11 +91,11 @@ class Commenteditor extends Base {
if ($detail->IsInstalled()) {
$user_detail = $detail->Factory("User");
if ($user_detail["first"] !== "") {
$name = $user_detail["first"];
$name = htmlspecialchars($user_detail["first"]);
}
if ($user_detail["last"] !== "") {
if ($name !== "") $name .= " ";
$name .= $user_detail["last"];
$name .= htmlspecialchars($user_detail["last"]);
}
}
if ($this->user->canEditPage) {
......
<?php
// Dobrado Content Management System
// Copyright (C) 2013 Malcolm Blaney
// Copyright (C) 2014 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -133,10 +133,7 @@ class Contact extends Base {
}
public function Copy($id, $new_page, $old_owner, $old_id) {
$us_content = $this->PlainContent($old_id, $old_owner);
$mysqli = connect_db();
$this->Insert($id, $mysqli->escape_string($us_content));
$mysqli->close();
$this->Insert($id, $this->PlainContent($old_id, $old_owner, true));
$this->CopyStyle($id, $old_owner, $old_id);
}
......@@ -166,7 +163,7 @@ class Contact extends Base {
'PRIMARY KEY(user, box_id)'.
') ENGINE=MyISAM';
if (!$mysqli->query($query)) {
$this->Log('Contact->Install 1: '.$mysqli->error);
$this->Log("Contact->Install 1: ".$mysqli->error);
}
$query = 'CREATE TABLE IF NOT EXISTS contact_history ('.
......@@ -178,7 +175,7 @@ class Contact extends Base {
'PRIMARY KEY(user, box_id, timestamp)'.
') ENGINE=MyISAM';
if (!$mysqli->query($query)) {
$this->Log('Contact->Install 2: '.$mysqli->error);
$this->Log("Contact->Install 2: ".$mysqli->error);
}
$mysqli->close();
......@@ -198,26 +195,25 @@ class Contact extends Base {
public function Remove($id) {
$mysqli = connect_db();
if (isset($id)) {
$query = 'DELETE FROM contact WHERE user="'.$this->owner.
'" AND box_id='.$id;
$query = 'DELETE FROM contact WHERE user = "'.$this->owner.'" '.
'AND box_id = '.$id;
if (!$mysqli->query($query)) {
$this->Log('Contact->Remove 1: '.$mysqli->error);
$this->Log("Contact->Remove 1: ".$mysqli->error);
}
$query = 'DELETE FROM contact_history WHERE user="'.$this->owner.
'" AND box_id='.$id;
$query = 'DELETE FROM contact_history WHERE user = "'.$this->owner.'" '.
'AND box_id = '.$id;
if (!$mysqli->query($query)) {
$this->Log('Contact->Remove 2: '.$mysqli->error);
$this->Log("Contact->Remove 2: ".$mysqli->error);
}
}
else {
$query = 'DELETE FROM contact WHERE user="'.$this->owner.'"';
$query = 'DELETE FROM contact WHERE user = "'.$this->owner.'"';
if (!$mysqli->query($query)) {
$this->Log('Contact->Remove 3: '.$mysqli->error);
$this->Log("Contact->Remove 3: ".$mysqli->error);
}
$query = 'DELETE FROM contact_history WHERE user="'.
$this->owner.'"';
$query = 'DELETE FROM contact_history WHERE user = "'.$this->owner.'"';
if (!$mysqli->query($query)) {
$this->Log('Contact->Remove 4: '.$mysqli->error);
$this->Log("Contact->Remove 4: ".$mysqli->error);
}
}
$mysqli->close();
......@@ -226,19 +222,24 @@ class Contact extends Base {
public function SetContent($id, $us_content) {
if (strcmp($us_content['data'], $this->PlainContent($id)) == 0) return;
include "library/HTMLPurifier.auto.php";
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$us_data = $purifier->purify($us_content["data"]);
$time = time();
$mysqli = connect_db();
$data = $mysqli->escape_string($us_content['data']);
$query= 'UPDATE contact SET content="'.$data.'", timestamp="'.
$time.'" WHERE user="'.$this->owner.'" AND box_id="'.$id.'"';
$data = $mysqli->escape_string($us_data);
$query= 'UPDATE contact SET content = "'.$data.'", timestamp = '.$time.
' WHERE user = "'.$this->owner.'" AND box_id = '.$id;
if (!$mysqli->query($query)) {
$this->Log('Contact->SetContent 1: '.$mysqli->error);
$this->Log("Contact->SetContent 1: ".$mysqli->error);
}
$query = 'INSERT INTO contact_history VALUES ("'.$this->owner.'","'.
$id.'","'.$data.'","'.$time.'","'.$this->user->name.'")';
$query = 'INSERT INTO contact_history VALUES ("'.$this->owner.'", '.
$id.', "'.$data.'", '.$time.', "'.$this->user->name.'")';
if (!$mysqli->query($query)) {
$this->Log('Contact->SetContent 2: '.$mysqli->error);
$this->Log("Contact->SetContent 2: ".$mysqli->error);
}
$mysqli->close();
}
......@@ -261,35 +262,36 @@ class Contact extends Base {
$time = time();
$mysqli = connect_db();
$query = 'INSERT INTO contact VALUES '.
'("'.$this->owner.'","'.$id.'","'.$content.'","'.$time.'")';
'("'.$this->owner.'", '.$id.', "'.$content.'", '.$time.')';
if (!$mysqli->query($query)) {
$this->Log('Contact->Insert 1: '.$mysqli->error);
$this->Log("Contact->Insert 1: ".$mysqli->error);
}
$query = 'INSERT INTO contact_history VALUES ("'.$this->owner.'","'.
$id.'","'.$content.'","'.$time.'","'.$this->user->name.'")';
$query = 'INSERT INTO contact_history VALUES ("'.$this->owner.'", '.
$id.', "'.$content.'", '.$time.', "'.$this->user->name.'")';
if (!$mysqli->query($query)) {
$this->Log('Contact->Insert 2: '.$mysqli->error);
$this->Log("Contact->Insert 2: ".$mysqli->error);
}
$mysqli->close();
}
private function PlainContent($id, $user = "") {
if ($user == "") {
private function PlainContent($id, $user = "", $escape = false) {
if ($user === "") {
$user = $this->owner;
}
$content = "";
$mysqli = connect_db();
$query = 'SELECT content FROM contact WHERE user="'.$user.
'" AND box_id = "'.$id.'"';
$query = 'SELECT content FROM contact WHERE user = "'.$user.'" '.
'AND box_id = '.$id;
if ($result = $mysqli->query($query)) {
if ($contact = $result->fetch_assoc()) {
$content = $contact['content'];
$content = $escape ? $mysqli->escape_string($contact["content"]) :
$contact["content"];
}
$result->close();
}
else {
$this->Log('Contact->PlainContent: '.$mysqli->error);
$this->Log("Contact->PlainContent: ".$mysqli->error);
}
$mysqli->close();
return $content;
......
......@@ -66,9 +66,9 @@ class Detail extends Base {
'WHERE user = "'.$this->owner.'"';
if ($result = $mysqli->query($query)) {
if ($detail = $result->fetch_assoc()) {
$first = $detail["first"];
$last = $detail["last"];
$phone = $detail["phone"];
$first = htmlspecialchars($detail["first"]);
$last = htmlspecialchars($detail["last"]);
$phone = htmlspecialchars($detail["phone"]);
$thumbnail = $detail["thumbnail"];
if (preg_match('/^(.+)\.(.+)$/', $thumbnail, $matches)) {
$name = $matches[1];
......@@ -228,11 +228,12 @@ class Detail extends Base {
$mysqli = connect_db();
if ($result = $mysqli->query($query)) {
while ($detail = $result->fetch_assoc()) {
$object[$detail["user"]] = array("first" => $detail["first"],
"last" => $detail["last"],
"phone" => $detail["phone"],
"email" => $detail["email"],
"group" => $detail["system_group"]);
$object[$detail["user"]] =
array("first" => htmlspecialchars($detail["first"]),
"last" => htmlspecialchars($detail["last"]),
"phone" => htmlspecialchars($detail["phone"]),
"email" => htmlspecialchars($detail["email"]),
"group" => $detail["system_group"]);
}
$result->close();
}
......@@ -268,11 +269,11 @@ class Detail extends Base {
'users.user="'.$user.'"';
if ($result = $mysqli->query($query)) {
if ($detail = $result->fetch_assoc()) {
$object = array("first" => $detail["first"],
"last" => $detail["last"],
$object = array("first" => htmlspecialchars($detail["first"]),
"last" => htmlspecialchars($detail["last"]),
"thumbnail" => $detail["thumbnail"],
"phone" => $detail["phone"],
"email" => $detail["email"]);
"phone" => htmlspecialchars($detail["phone"]),
"email" => htmlspecialchars($detail["email"]));
}
$result->close();
}
......
This diff is collapsed.
......@@ -89,7 +89,7 @@ class Invoice extends Base {
}
public function CanEdit($id) {
return true;
return false;
}
public function CanRemove($id) {
......
<?php
// Dobrado Content Management System
// Copyright (C) 2013 Malcolm Blaney
// Copyright (C) 2014 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -156,7 +156,12 @@ class Organiser extends Base {
else if ($action == "send-message") {
$us_recipients = $_POST["recipients"];
$us_subject = $_POST["subject"];
$us_message = $_POST["message"];
include "library/HTMLPurifier.auto.php";
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$us_message = $purifier->purify($_POST["message"]);
$body = wordwrap($this->Substitute("organiser-email-body", "/!message/",
$us_message));
$sender = $this->Substitute("organiser-sender", "/!host/",
......
<?php
// Dobrado Content Management System
// Copyright (C) 2013 Malcolm Blaney
// Copyright (C) 2014 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -30,17 +30,17 @@ class Player extends Base {
$mode = $mysqli->escape_string($_POST['mode']);
if ($mode == "box") {
$id = substr($mysqli->escape_string($_POST['id']), 9);
$query = 'SELECT content FROM player WHERE user="'.$this->owner.
'" AND box_id = "'.$id.'"';
$query = 'SELECT content FROM player WHERE user = "'.$this->owner.'" '.
'AND box_id = '.$id;
if ($result = $mysqli->query($query)) {
if ($player = $result->fetch_assoc()) {
$object['editor'] = true;
$object['source'] = stripslashes($player['content']);
$object["editor"] = true;
$object["source"] = $player["content"];
}
$result->close();
}
else {
$this->Log('Player->Callback: '.$mysqli->error);
$this->Log("Player->Callback: ".$mysqli->error);
}
}
$mysqli->close();
......@@ -64,22 +64,7 @@ class Player extends Base {
}
public function Copy($id, $new_page, $old_owner, $old_id) {
$content = "";
$mysqli = connect_db();
$query = 'SELECT content FROM player WHERE user="'.$old_owner.
'" AND box_id = "'.$old_id.'"';
if ($result = $mysqli->query($query)) {
if ($player = $result->fetch_assoc()) {
$content = $mysqli->escape_string($player['content']);
}
$result->close();
}
else {
$this->Log('Player->Copy: '.$mysqli->error);
}
$mysqli->close();
$this->Insert($id, $content);
$this->Insert($id, $this->PlainContent($old_id, $old_owner, true));
$this->CopyStyle($id, $old_owner, $old_id);
}
......@@ -109,7 +94,7 @@ class Player extends Base {
'PRIMARY KEY(user, box_id)'.
') ENGINE=MyISAM';
if (!$mysqli->_query($query)) {
$this->Log('Player->Install 1: '.$mysqli->error);
$this->Log("Player->Install 1: ".$mysqli->error);
}
$query = 'CREATE TABLE IF NOT EXISTS player_history ('.
......@@ -121,7 +106,7 @@ class Player extends Base {
'PRIMARY KEY(user, box_id, timestamp)'.
') ENGINE=MyISAM';
if (!$mysqli->query($query)) {
$this->Log('Player->Install 2: '.$mysqli->error);
$this->Log("Player->Install 2: ".$mysqli->error);
}
$mysqli->close();
}
......@@ -140,44 +125,48 @@ class Player extends Base {
$query = 'DELETE FROM player WHERE user="'.$this->owner.
'" AND box_id='.$id;
if (!$mysqli->query($query)) {
$this->Log('Player->Remove 1: '.$mysqli->error);
$this->Log("Player->Remove 1: ".$mysqli->error);
}
$query = 'DELETE FROM player_history WHERE user="'.$this->owner.
'" AND box_id='.$id;
if (!$mysqli->query($query)) {
$this->Log('Player->Remove 2: '.$mysqli->error);
$this->Log("Player->Remove 2: ".$mysqli->error);
}
}
else {
$query = 'DELETE FROM player WHERE user="'.$this->owner.'"';
if (!$mysqli->query($query)) {
$this->Log('Player->Remove 3: '.$mysqli->error);
$this->Log("Player->Remove 3: ".$mysqli->error);
}
$query = 'DELETE FROM player_history WHERE user="'.$this->owner.'"';
if (!$mysqli->query($query)) {
$this->Log('Player->Remove 4: '.$mysqli->error);
$this->Log("Player->Remove 4: ".$mysqli->error);
}
}
$mysqli->close();
}
public function SetContent($id, $us_content) {
$us_data = stripslashes($us_content['data']);
if (strcmp($us_data, $this->PlainContent($id)) == 0) return;
if (strcmp($us_content["data"], $this->PlainContent($id)) == 0) return;
include "library/HTMLPurifier.auto.php";
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$us_data = $purifier->purify($us_content["data"]);
$time = time();
$mysqli = connect_db();
$data = $mysqli->escape_string($us_content['data']);
$query = 'UPDATE player SET content="'.$data.'", timestamp="'.$time.
'" WHERE user="'.$this->owner.'" AND box_id="'.$id.'"';
$data = $mysqli->escape_string($us_data);
$query = 'UPDATE player SET content = "'.$data.'", timestamp = '.$time.
' WHERE user = "'.$this->owner.'" AND box_id = '.$id;
if (!$mysqli->query($query)) {
$this->Log('Player->SetContent 1: '.$mysqli->error);
$this->Log("Player->SetContent 1: ".$mysqli->error);
}
$query = 'INSERT INTO player_history VALUES ("'.$this->owner.'","'.
$id.'","'.$data.'","'.$time.'","'.$this->user->name.'")';
$query = 'INSERT INTO player_history VALUES ("'.$this->owner.'", '.
$id.', "'.$data.'", '.$time.', "'.$this->user->name.'")';
if (!$mysqli->query($query)) {
$this->Log('Player->SetContent 2: '.$mysqli->error);
$this->Log("Player->SetContent 2: ".$mysqli->error);
}
$mysqli->close();
}
......@@ -193,36 +182,40 @@ class Player extends Base {
// Private functions below here ////////////////////////////////////////////
private function Insert($id, $content="") {
private function Insert($id, $content = "") {
$time = time();
$mysqli = connect_db();
$query = 'INSERT INTO player VALUES '.
'("'.$this->owner.'","'.$id.'","'.$content.'","'.$time.'")';
'("'.$this->owner.'", '.$id.', "'.$content.'", '.$time.')';
if (!$mysqli->query($query)) {
$this->Log('Player->Insert 1: '.$mysqli->error);
$this->Log("Player->Insert 1: ".$mysqli->error);
}
$query = 'INSERT INTO player_history VALUES ("'.$this->owner.'","'.
$id.'","'.$content.'","'.$time.'","'.$this->user->name.'")';
$query = 'INSERT INTO player_history VALUES ("'.$this->owner.'", '.
$id.', "'.$content.'", '.$time.', "'.$this->user->name.'")';
if (!$mysqli->query($query)) {
$this->Log('Player->Insert 2: '.$mysqli->error);
$this->Log("Player->Insert 2: ".$mysqli->error);
}
$mysqli->close();
}
private function PlainContent($id) {
private function PlainContent($id, $user = "", $escape = false) {
if ($user === "") {
$user = $this->owner;
}
$content = "";
$mysqli = connect_db();
$query = 'SELECT content FROM player WHERE user="'.$this->owner.
'" AND box_id = "'.$id.'"';
$query = 'SELECT content FROM player WHERE user = "'.$user.'" '.
'AND box_id = '.$id;
if ($result = $mysqli->query($query)) {
if ($player = $result->fetch_assoc()) {