Merge branch 'fix/XSSMitigation' into 'develop'

fix: mitigate XSS issues

See merge request 2pisoftware/cosine/core!432

Author: Chris Bateman

system/classes/DbObject.php

@@ -193,7 +193,7 @@ public function getSelectOptionTitle()
         } elseif (property_exists(get_class($this), "name")) {
             $title = $this->name;
         }
-        return $title;
+        return StringSanitiser::sanitise($title);
     }
 
     /**

system/classes/History.php

@@ -20,7 +20,7 @@ class History
 
     /**
      * This function adds a history value to the SESSION
-     * @param String $name
+     * @param string $name
      */
     public static function add($name, Web $w = null, $object = null)
     {
@@ -59,7 +59,7 @@ public static function add($name, Web $w = null, $object = null)
      *
      * @param string $key (optional)
      * @param int $length (optional)
-     * @return Array the history
+     * @return array the history
      */
     public static function get($key = null, $length = 0)
     {

system/classes/HtmlBootstrap5.php

@@ -161,7 +161,7 @@ public static function form($data, $action = null, $method = "POST", $submitTitl
                 case "password":
                     $size = !empty($field[4]) ? $field[4] : '';
                     $required = !empty($field[5]) ? $field[5] : '';
-                    $buffer .= '<input' . $readonly . ' style="width:100%;" type="' . $type . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" size="' . $size . '" id="' . $name . '"  ' . $required . '/>';
+                    $buffer .= '<input' . $readonly . ' style="width:100%;" type="' . $type . '" name="' . $name . '" value="' . $value . '" size="' . $size . '" id="' . $name . '"  ' . $required . '/>';
                     break;
                 case "autocomplete":
                     $options = !empty($field[4]) ? $field[4] : '';
@@ -394,7 +394,7 @@ public static function multiColForm($data, $action = null, $method = "POST", $su
                         case "email":
                         case "tel":
                             $size = !empty($field[4]) ? $field[4] : null;
-                            $buffer .= '<input' . $readonly . ' class="form-control" type="' . $type . '" name="' . $name . '" value="' . (empty($value) ? '' : htmlspecialchars($value)) .
+                            $buffer .= '<input' . $readonly . ' class="form-control" type="' . $type . '" name="' . $name . '" value="' . (empty($value) ? '' : $value) .
                                 '" size="' . $size . '" id="' . $name . '" ' . $required . " />";
                             break;
                         case "autocomplete":
@@ -1019,4 +1019,26 @@ public static function timePicker($name, $value = null, $size = null, $required
     {
         return '<input class="form-control" type="time" name="' . $name . '" value="' . $value . '" size="' . $size . '" id="' . $name . '" ' . $required . ' />';
     }
+
+    /**
+     * Create a single select autocomplete widget
+     *
+     * @param <type> $data
+     * @param <type> $value
+     * @param <type> $class
+     */
+    public static function autocomplete($name, $options, $value = null, $class = null, $style = null, $minLength = 1, $required = null)
+    {
+        return (new \Html\Form\Html5Autocomplete([
+            "id|name" => "title",
+            "class" => "form-control " . $class,
+            "label" => "Title",
+            "maxItems" => 1,
+            "value" => $value,
+            "required" => !!$required,
+            "style" => $style,
+            "minLength" => $minLength,
+            "options" => $options,
+        ]))->__toString();
+    }
 }

system/classes/StringSanitiser.php

@@ -0,0 +1,65 @@
+<?php
+
+class StringSanitiser {
+    /**
+     * Converts input data to encoded entities for safe display to screen
+     * 
+     * @param ?string $data
+     * @return string
+     */
+    public static function sanitise(?string $string, ?int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401): string
+    {
+        if (!$string) {
+            return '';
+        }
+        return htmlspecialchars(string: $string, flags: $flags, double_encode: false);
+    }
+
+    /**
+     * Strips default Quill HTML tags from the input string
+     * 
+     * @param ?string $string
+     * @param ?array $tags
+     * @return string
+     */
+    public static function stripTags(?string $string, ?array $tags = []): string
+    {
+        if (!$string) {
+            return '';
+        }
+
+        if (empty($tags)) {
+            $tags = (new \Html\Cmfive\QuillEditor())->tag_allow_list;
+        }
+
+        return strip_tags($string, $tags);
+    }
+
+    /**
+     * Strips anything that is not alphanumeric from the input string
+     * 
+     * @param ?string $string
+     * @return string
+     */
+    public static function stripNonAlphaNumeric(?string $string): string
+    {
+        if (!$string) {
+            return '';
+        }
+        return preg_replace('/[^a-zA-Z0-9]/', '', $string) ?? '';
+    }
+
+    /**
+     * Escapes quotes of the input string
+     * 
+     * @param ?string $string
+     * @return string
+     */
+    public static function escapeQuotes(?string $string): string
+    {
+        if (!$string) {
+            return '';
+        }
+        return addslashes($string);
+    }
+}

system/classes/html/cmfive/CodeMirrorEditor.php

@@ -46,6 +46,6 @@ public function setValues(array $values): self
 
     public function __toString()
     {
-        return '<textarea name="' . $this->name . '" id="' . $this->id . '" style="display:none"></textarea><div class="code-mirror-target" cm-value=\'' . $this->value . '\' id="' . $this->id . '">'  . '</div>';
+        return '<textarea name="' . $this->name . '" id="' . $this->id . '" style="display:none">' . $this->value . '</textarea><div class="code-mirror-target" data-id="' . $this->id . '">'  . '</div>';
     }
 }

system/classes/html/cmfive/QuillEditor.php

@@ -12,6 +12,8 @@ class QuillEditor extends \Html\Form\InputField
 
     public $options = ["theme" => "snow"];
 
+    public $tag_allow_list = ["<h1>", "<h2>", "<h3>", "<p>", "<strong>", "<em>", "<u>", "<ol>", "<ul>", "<li>", "<a>", "<img>", "<blockquote>", "<code>", "<pre>", "<br>", "<hr>"];
+
     /**
      * Value of the textarea
      * @var string
@@ -29,8 +31,16 @@ public function setOptions(array $options = []): self
         return $this;
     }
 
+    public function setTagAllowList(array $tag_allow_list = []): self
+    {
+        $this->tag_allow_list = $tag_allow_list;
+        return $this;
+    }
+
     public function __toString()
     {
-        return '<textarea name="' . $this->name . '" id="' . $this->id . '" style="display:none">' . $this->value . '</textarea><div class="quill-editor" data-quill-options=\'' . json_encode($this->options) . '\' id="quill_' . $this->id . '">' . $this->value . '</div>';
+        $value = strip_tags($this->value ?? '', $this->tag_allow_list);
+
+        return '<textarea name="' . $this->name . '" id="' . $this->id . '" style="display:none">' . $value . '</textarea><div class="quill-editor" data-quill-options=\'' . json_encode($this->options) . '\' id="quill_' . $this->id . '">' . $value . '</div>';
     }
 }

system/classes/html/form/Autocomplete.php

@@ -124,13 +124,13 @@ public function setRequired($required) {
 		return $this;
 	}
 
-        /**
-         * Sets the boolean readonly attribute
-         *
-         * @param string $readonly 'true' for readonly fields
-         * @return \Html\Form\Autocomplete this
-         */
-        public function setReadOnly($readonly) {
+	/**
+	 * Sets the boolean readonly attribute
+	 *
+	 * @param string $readonly 'true' for readonly fields
+	 * @return \Html\Form\Autocomplete this
+	 */
+	public function setReadOnly($readonly) {
 		$this->readonly = $readonly;
 
 		return $this;

system/classes/html/form/Html5Autocomplete.php

@@ -2,8 +2,6 @@
 
 namespace Html\Form;
 
-use LogService;
-
 /**
  * HTML5 Autocomplete using Tom-Select on frontend.
  * Renders an text <input> field with a dropdown for possible values,
@@ -108,7 +106,7 @@ public function __toString()
                 continue;
             }
 
-            $buffer .= $field . "='" . addslashes(is_array($value) ? implode(",", $value) : $value) . "' ";
+            $buffer .= $field . "='" . \StringSanitiser::escapeQuotes(is_array($value) ? implode(",", $value) : $value) . "' ";
         }
 
         $buffer .=
@@ -117,15 +115,11 @@ public function __toString()
             json_encode([
                 "options" => $this->options ?
                     array_map(
-                        fn($val) =>
-                        array_map(
-                            fn($inner) => htmlspecialchars($inner),
-                            $this->convertOption($val)
-                        ),
+                        fn($val) => $this->convertOption($val),
                         $this->options
                     )
                     : null,
-                "maxItems" => !isset($this->maxItems) ? $this->maxItems : 1,
+                "maxItems" => $this->maxItems,
                 "items" => $this->value,
                 "source" => $this->source,
                 "create" => $this->canCreate,
@@ -144,7 +138,7 @@ public function __toString()
                     "onItemRemove" => $this->onItemRemove,
                     "onItemCreate" => $this->onItemCreate,
                 ]
-            ]) .
+            ], JSON_HEX_APOS | JSON_HEX_QUOT) .
             "' ";
 
         return $buffer . '/>';
@@ -174,6 +168,11 @@ private function convertOption($val)
                 "value" => $val,
                 "text" => $val,
             ];
+        } else if (is_array($val) && count($val) === 2) {
+            return [
+                "value" => $val[0],
+                "text" => $val[1],
+            ];
         } else {
             // can't log cause don't have $w
             // LogService::getInstance($w)->setLogger("html5autocomplete")->error("option did not match format", $val);