Merge pull request #4589 from Deltik/fix/form-builder-escaping

Fix most `e_form` form builder escaping problems
2025-07-15 03:56:20 +02:00 · 2021-10-07 16:10:44 -07:00
parent d4d0a74858 2fa9d10c57
commit 091145c1fe
4 changed files with 599 additions and 414 deletions
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@ -4800,8 +4800,17 @@ class e_parse

 	/**
 	 * Filters/Validates using the PHP5 filter_var() method.
+	 *
 	 * @param string|array $text
-	 * @param string $type string str|int|email|url|w|wds|file
+	 * @param string $type str|int|email|url|w|wds|file
+	 *
+	 *                     If the type is "str" (default), HTML tags are stripped, and quotation marks are escaped for
+	 *                     HTML with the intention of making the string safe to use in both concatenated SQL queries and
+	 *                     HTML code.
+	 *
+	 *                     Despite the intention, strings returned by this function should still be specified as values
+	 *                     in SQL prepared statements or surrounded by {@see mysqli_real_escape_string()} if the string
+	 *                     is to be written to the database.
 	 * @return string|boolean| array
 	 */
 	public function filter($text, $type = 'str', $validate = false)
@ -4859,7 +4868,10 @@ class e_parse
 				{
 					$filterTypes = array(
 						'int'   => FILTER_SANITIZE_NUMBER_INT,
-						'str'   => function($input) { return strip_tags($input); },
+						'str'   => function($input)
+						{
+							return htmlspecialchars(strip_tags($input), ENT_QUOTES);
+						},
 						'email' => FILTER_SANITIZE_EMAIL,
 						'url'   => FILTER_SANITIZE_URL,
 						'enc'   => FILTER_SANITIZE_ENCODED
--- a/e107_handlers/form_handler.php
+++ b/e107_handlers/form_handler.php
--- a/e107_tests/tests/unit/e_formTest.php
+++ b/e107_tests/tests/unit/e_formTest.php
--- a/e107_tests/tests/unit/e_parseTest.php
+++ b/e107_tests/tests/unit/e_parseTest.php
@ -2589,7 +2589,22 @@ Your browser does not support the audio tag.

 		}

+		/**
+		 * e107 v0.6.0 requires strings to be passed around with quotation marks escaped for HTML as a way to prevent
+		 * both SQL injection and cross-site scripting. Although {@see e_parse::toDB()} is supposed to do that, some
+		 * usages, specifically {@see e_front_model::sanitizeValue()} call {@see e_parse::filter()} instead.
+		 *
+		 * @version 2.3.1
+		 */
+		public function testFilterStr()
+		{
+			$input = "<strong>\"e107's\"</strong>";
+			$expected = "&quot;e107&#039;s&quot;";

+			$actual = $this->tp->filter($input, 'str');
+
+			$this->assertEquals($expected, $actual);
+		}

 		public function testCleanHtml()
 		{