From 19f48180dce79cbcd5c6a22f254e98e3d83104dd Mon Sep 17 00:00:00 2001 From: Nick Liu Date: Wed, 6 Oct 2021 13:03:08 -0500 Subject: [PATCH] =?UTF-8?q?Restore=20`htmlspecialchars()`=20for=20`e=5Fpar?= =?UTF-8?q?se::filter(=E2=80=A6,=20'str')`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes regression from 20882920a0b68937570264949512acc0c4841dbd where data would get inserted into the database with literal quotation marks, but e107 has always expected `"` and `'` to come directly from the database --- e107_handlers/e_parse_class.php | 16 ++++++++++++++-- e107_tests/tests/unit/e_parseTest.php | 15 +++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php index 867afdbb0..f93a1a69b 100644 --- a/e107_handlers/e_parse_class.php +++ b/e107_handlers/e_parse_class.php @@ -4800,8 +4800,17 @@ class e_parse /** * Filters/Validates using the PHP5 filter_var() method. + * * @param string|array $text - * @param string $type string str|int|email|url|w|wds|file + * @param string $type str|int|email|url|w|wds|file + * + * If the type is "str" (default), HTML tags are stripped, and quotation marks are escaped for + * HTML with the intention of making the string safe to use in both concatenated SQL queries and + * HTML code. + * + * Despite the intention, strings returned by this function should still be specified as values + * in SQL prepared statements or surrounded by {@see mysqli_real_escape_string()} if the string + * is to be written to the database. * @return string|boolean| array */ public function filter($text, $type = 'str', $validate = false) @@ -4859,7 +4868,10 @@ class e_parse { $filterTypes = array( 'int' => FILTER_SANITIZE_NUMBER_INT, - 'str' => function($input) { return strip_tags($input); }, + 'str' => function($input) + { + return htmlspecialchars(strip_tags($input), ENT_QUOTES); + }, 'email' => FILTER_SANITIZE_EMAIL, 'url' => FILTER_SANITIZE_URL, 'enc' => FILTER_SANITIZE_ENCODED diff --git a/e107_tests/tests/unit/e_parseTest.php b/e107_tests/tests/unit/e_parseTest.php index 18aedb6ec..76f5b9e68 100644 --- a/e107_tests/tests/unit/e_parseTest.php +++ b/e107_tests/tests/unit/e_parseTest.php @@ -2589,7 +2589,22 @@ Your browser does not support the audio tag. } + /** + * e107 v0.6.0 requires strings to be passed around with quotation marks escaped for HTML as a way to prevent + * both SQL injection and cross-site scripting. Although {@see e_parse::toDB()} is supposed to do that, some + * usages, specifically {@see e_front_model::sanitizeValue()} call {@see e_parse::filter()} instead. + * + * @version 2.3.1 + */ + public function testFilterStr() + { + $input = "\"e107's\""; + $expected = ""e107's""; + $actual = $this->tp->filter($input, 'str'); + + $this->assertEquals($expected, $actual); + } public function testCleanHtml() {