extend the Smarty class so when assigning data to it, it is automatically escaped (unless specified otherwise with a 3rd parameter (false) in the assign function call). This will probably cause some breakage esp where translations have html embedded within them - however i would rather this were the case than the application be vulnerable to XSS

git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@782 a1433add-5e2c-0410-b055-b7f2511e0802
2024-09-20 03:36:20 +02:00 · 2009-12-02 10:33:04 +00:00 · 2009-12-02 10:33:04 +00:00 · 017b062acd
commit 017b062acd
parent 9b0a8deb34
1 changed files with 38 additions and 4 deletions
--- a/smarty.inc.php
+++ b/smarty.inc.php
@ -1,7 +1,40 @@
 <?php
 require_once ("$incpath/smarty/libs/Smarty.class.php");

-$smarty = new Smarty;
+/**
+ * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
+ */
+class PFASmarty extends Smarty {
+    public function assign($key, $value, $sanitise = true) {
+        if($sanitise == false) {
+            return parent::assign($key, $value);
+        }
+        $clean = $this->sanitise($value);
+        /* we won't run the key through sanitise() here... some might argue we should */
+        return parent::assign($key, $clean);
+    }
+
+    /**
+     * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset 
+     *
+     * @param mixed $data - array or primitive type; objects not supported.
+     * @return mixed $data
+     * */
+    public function sanitise($data) {
+        if(!is_array($data)) {
+            return htmlentities($data, ENT_QUOTES, 'UTF-8');
+        }
+        if(is_array($data)) {
+            $clean = array();
+            foreach($data as $key => $value) {
+                /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
+                $clean[$this->sanitise($key)] = $this->sanitise($value);
+            }
+            return $clean;
+        }
+    }
+}
+$smarty = new PFASmarty();

 //$smarty->debugging = true;

@ -30,8 +63,9 @@ else
 {
 	$motd_file = "motd.txt";
 }
-if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file))
+if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) {
    $smarty->assign ('motd_file', $motd_file);
+}

 function select_options($aValues, $aSelected)
 {