mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-19 19:22:14 +02:00
extend the Smarty class so when assigning data to it, it is automatically escaped (unless specified otherwise with a 3rd parameter (false) in the assign function call). This will probably cause some breakage esp where translations have html embedded within them - however i would rather this were the case than the application be vulnerable to XSS
git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@782 a1433add-5e2c-0410-b055-b7f2511e0802
This commit is contained in:
parent
9b0a8deb34
commit
017b062acd
@ -1,7 +1,40 @@
|
||||
<?php
|
||||
require_once ("$incpath/smarty/libs/Smarty.class.php");
|
||||
|
||||
$smarty = new Smarty;
|
||||
/**
|
||||
* Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
|
||||
*/
|
||||
class PFASmarty extends Smarty {
|
||||
public function assign($key, $value, $sanitise = true) {
|
||||
if($sanitise == false) {
|
||||
return parent::assign($key, $value);
|
||||
}
|
||||
$clean = $this->sanitise($value);
|
||||
/* we won't run the key through sanitise() here... some might argue we should */
|
||||
return parent::assign($key, $clean);
|
||||
}
|
||||
|
||||
/**
|
||||
* Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset
|
||||
*
|
||||
* @param mixed $data - array or primitive type; objects not supported.
|
||||
* @return mixed $data
|
||||
* */
|
||||
public function sanitise($data) {
|
||||
if(!is_array($data)) {
|
||||
return htmlentities($data, ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
if(is_array($data)) {
|
||||
$clean = array();
|
||||
foreach($data as $key => $value) {
|
||||
/* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
|
||||
$clean[$this->sanitise($key)] = $this->sanitise($value);
|
||||
}
|
||||
return $clean;
|
||||
}
|
||||
}
|
||||
}
|
||||
$smarty = new PFASmarty();
|
||||
|
||||
//$smarty->debugging = true;
|
||||
|
||||
@ -30,10 +63,11 @@ else
|
||||
{
|
||||
$motd_file = "motd.txt";
|
||||
}
|
||||
if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file))
|
||||
$smarty->assign ('motd_file', $motd_file);
|
||||
if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) {
|
||||
$smarty->assign ('motd_file', $motd_file);
|
||||
}
|
||||
|
||||
function select_options ($aValues, $aSelected)
|
||||
function select_options($aValues, $aSelected)
|
||||
{
|
||||
$ret_val = '';
|
||||
foreach ($aValues as $val)
|
||||
|
Loading…
Reference in New Issue
Block a user