From 017b062acd34da81e0cdc19c231b95756496dd01 Mon Sep 17 00:00:00 2001
From: David Goodwin <david@palepurple.co.uk>
Date: Wed, 2 Dec 2009 10:33:04 +0000
Subject: [PATCH] extend the Smarty class so when assigning data to it, it is
 automatically escaped (unless specified otherwise with a 3rd parameter
 (false) in the assign function call). This will probably cause some breakage
 esp where translations have html embedded within them - however i would
 rather this were the case than the application be vulnerable to XSS

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@782 a1433add-5e2c-0410-b055-b7f2511e0802
---
 smarty.inc.php | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

diff --git a/smarty.inc.php b/smarty.inc.php
index c1f7225d..d368da2d 100644
--- a/smarty.inc.php
+++ b/smarty.inc.php
@@ -1,7 +1,40 @@
 <?php
 require_once ("$incpath/smarty/libs/Smarty.class.php");
 
-$smarty = new Smarty;
+/**
+ * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
+ */
+class PFASmarty extends Smarty {
+    public function assign($key, $value, $sanitise = true) {
+        if($sanitise == false) {
+            return parent::assign($key, $value);
+        }
+        $clean = $this->sanitise($value);
+        /* we won't run the key through sanitise() here... some might argue we should */
+        return parent::assign($key, $clean);
+    }
+
+    /**
+     * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset 
+     *
+     * @param mixed $data - array or primitive type; objects not supported.
+     * @return mixed $data
+     * */
+    public function sanitise($data) {
+        if(!is_array($data)) {
+            return htmlentities($data, ENT_QUOTES, 'UTF-8');
+        }
+        if(is_array($data)) {
+            $clean = array();
+            foreach($data as $key => $value) {
+                /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
+                $clean[$this->sanitise($key)] = $this->sanitise($value);
+            }
+            return $clean;
+        }
+    }
+}
+$smarty = new PFASmarty();
 
 //$smarty->debugging = true;
 
@@ -30,10 +63,11 @@ else
 {
 	$motd_file = "motd.txt";
 }
-if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file))
-	$smarty->assign ('motd_file', $motd_file);
+if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) {
+    $smarty->assign ('motd_file', $motd_file);
+}
 
-function select_options ($aValues, $aSelected)
+function select_options($aValues, $aSelected)
 {
 	$ret_val = '';
 	foreach ($aValues as $val)