Prevent HTML code injection in e107::url()

Fixes: #4054 This is a better fix for #4054. HTML code injection can no longer occur in URLs generated by e107::url() thanks to htmlspecialchars(). The previous implementation only addressed: & => & Now, quotation marks and alligator brackets are also escaped, so: <a href=""></html>"></a> is now rendered as: <a href=""></html>"></a>
2025-03-14 01:19:44 +01:00 · 2020-01-14 23:54:34 +01:00 · 2020-01-14 23:54:34 +01:00 · 34047a2db3
commit 34047a2db3
parent 82b2da4c36
2 changed files with 36 additions and 8 deletions
--- a/e107_handlers/e107_class.php
+++ b/e107_handlers/e107_class.php
@ -3577,10 +3577,10 @@ class e107
 		// Append the query.
 		if (is_array($options['query']) && !empty($options['query']))
 		{
-			$sefUrl .= (strpos($sefUrl, '?') !== FALSE ? '&amp;' : '?') . self::httpBuildQuery($options['query']);
+			$sefUrl .= (strpos($sefUrl, '?') !== FALSE ? '&' : '?') . self::httpBuildQuery($options['query']);
 		}

-		return $sefUrl . $options['fragment'];
+		return htmlspecialchars($sefUrl . $options['fragment'], ENT_QUOTES, 'UTF-8');
 	}


@ -3652,7 +3652,7 @@ class e107
 			}
 		}

-		return implode('&amp;', $params);
+		return implode('&', $params);
 	}


--- a/e107_tests/tests/unit/e107Test.php
+++ b/e107_tests/tests/unit/e107Test.php
@ -791,8 +791,6 @@ class e107Test extends \Codeception\Test\Unit
 		$result = $obj::url('news','index', array(), array('mode'=>'full'));

 		$this->assertEquals("https://localhost/e107/news", $result);
-		
-
 	}

 	/**
@ -809,12 +807,42 @@ class e107Test extends \Codeception\Test\Unit
 			),
 		));
 		$this->assertEquals(
-			e_PLUGIN_ABS. 'forum/forum_viewtopic.php?f=post&amp;id=123',
+			e_PLUGIN_ABS . 'forum/forum_viewtopic.php?f=post&amp;id=123',
 			$url, "Generated href does not match expectation"
-			);
-
+		);
+	}

+	public function testUrlOptionQueryUrlEncoded()
+	{
+		$e107 = $this->e107;
+		$e107::getPlugin()->install('forum');
+		$url = $e107::url('forum', 'post', [], array(
+			'query' => array(
+				"didn't" => '<tag attr="such wow"></tag>',
+				'did' => 'much doge',
+			),
+		));
+		$this->assertEquals(
+			e_HTTP .
+			'forum/post/?didn%27t=%3Ctag%20attr%3D%22such%20wow%22%3E%3C/tag%3E&amp;did=much%20doge',
+			$url, "Generated href query string did not have expected URL encoding"
+		);
+	}

+	public function testUrlEscapesHtmlSpecialChars()
+	{
+		$e107 = $this->e107;
+		$e107::getPlugin()->install('forum');
+		$url = $e107::url('forum', 'forum', [
+			'forum_sef' => '<>',
+		], array(
+			'fragment' => 'Arts & Crafts <tag attr="can\'t inject here"></tag>'
+		));
+		$this->assertEquals(
+			e_HTTP .
+			'forum/&lt;&gt;/#Arts &amp; Crafts &lt;tag attr=&quot;can&#039;t inject here&quot;&gt;&lt;/tag&gt;',
+			$url, "Generated href did not prevent HTML tag injection as expected"
+		);
 	}
 	/*
 			public function testRedirect()