From 14248edc06eef8c3a094bc1d357af8a05f674e16 Mon Sep 17 00:00:00 2001
From: objecttothis <objecttothis@gmail.com>
Date: Tue, 21 May 2024 11:07:00 +0400
Subject: [PATCH] HTMLPurifier filtering

- Replaced == with === to avoid type juggling
- Removed unneeded TODO
- Added HTMLPurifier to composer.json
- Added Service to allow singleton instance of purifier.
- Implemented use in Customer Controller Search function.

Signed-off-by: objecttothis <objecttothis@gmail.com>
---
 app/Config/Services.php       | 20 +++++++++++
 app/Controllers/Customers.php |  2 +-
 app/Views/partial/header.php  | 57 +++++++++++++++++++++++++++++++
 app/Views/people/manage.php   |  2 +-
 composer.json                 |  1 +
 composer.lock                 | 63 ++++++++++++++++++++++++++++++++++-
 6 files changed, 142 insertions(+), 3 deletions(-)

diff --git a/app/Config/Services.php b/app/Config/Services.php
index df7c8ad08..8ababb302 100644
--- a/app/Config/Services.php
+++ b/app/Config/Services.php
@@ -3,6 +3,8 @@
 namespace Config;
 
 use CodeIgniter\Config\BaseService;
+use HTMLPurifier;
+use HTMLPurifier_Config;
 
 /**
  * Services Configuration file.
@@ -29,4 +31,22 @@ class Services extends BaseService
      *     return new \CodeIgniter\Example();
      * }
      */
+
+	private static $htmlPurifier;
+
+	public static function htmlPurifier($getShared = true)
+	{
+		if ($getShared)
+		{
+			return static::getSharedInstance('htmlPurifier');
+		}
+
+		if (!isset(static::$htmlPurifier))
+		{
+			$config = HTMLPurifier_Config::createDefault();
+			static::$htmlPurifier = new HTMLPurifier($config);
+		}
+
+		return static::$htmlPurifier;
+	}
 }
diff --git a/app/Controllers/Customers.php b/app/Controllers/Customers.php
index ef8deef35..54a1ac51b 100644
--- a/app/Controllers/Customers.php
+++ b/app/Controllers/Customers.php
@@ -87,7 +87,7 @@ class Customers extends Persons
 	 */
 	public function getSearch(): void
 	{
-		$search = $this->request->getGet('search', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+		$search = Services::htmlPurifier()->purify($this->request->getGet('search'));
 		$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
 		$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
 		$sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
diff --git a/app/Views/partial/header.php b/app/Views/partial/header.php
index fb1b8a76d..55d683695 100644
--- a/app/Views/partial/header.php
+++ b/app/Views/partial/header.php
@@ -21,11 +21,66 @@ $request = Services::request();
 
 	<?php if (ENVIRONMENT == 'development' || get_cookie('debug') == 'true' || $request->getGet('debug') == 'true') : ?>
 		<!-- inject:debug:css -->
+		<link rel="stylesheet" href="resources/css/jquery-ui-fe010342cb.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-dialog-1716ef6e7c.css">
+		<link rel="stylesheet" href="resources/css/jasny-bootstrap-40bf85f3ed.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-datetimepicker-66374fba71.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-select-66d5473b84.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-table-b8cfc92b6f.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-table-sticky-header-07d65e7533.css">
+		<link rel="stylesheet" href="resources/css/daterangepicker-85523b7dfe.css">
+		<link rel="stylesheet" href="resources/css/chartist-c19aedb81a.css">
+		<link rel="stylesheet" href="resources/css/chartist-plugin-tooltip-2e0ec92e60.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-tagsinput-5a6d46a06c.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-toggle-e12db6c1f3.css">
+		<link rel="stylesheet" href="resources/css/bootstrap-21011437af.autocomplete.css">
+		<link rel="stylesheet" href="resources/css/invoice-2ec9a31990.css">
+		<link rel="stylesheet" href="resources/css/ospos_print-ec2690e6fc.css">
+		<link rel="stylesheet" href="resources/css/ospos-5822271440.css">
+		<link rel="stylesheet" href="resources/css/popupbox-0db8527aa9.css">
+		<link rel="stylesheet" href="resources/css/receipt-ad2a5392c5.css">
+		<link rel="stylesheet" href="resources/css/register-517832340a.css">
+		<link rel="stylesheet" href="resources/css/reports-872a457221.css">
 		<!-- endinject -->
 		<!-- inject:debug:js -->
+		<script src="resources/js/jquery-12e87d2f3a.js"></script>
+		<script src="resources/js/jquery-4fa896f615.form.js"></script>
+		<script src="resources/js/jquery-a0350e8820.validate.js"></script>
+		<script src="resources/js/jquery-ui-cbc65ff85e.js"></script>
+		<script src="resources/js/bootstrap-894d79839f.js"></script>
+		<script src="resources/js/bootstrap-dialog-27123abb65.js"></script>
+		<script src="resources/js/jasny-bootstrap-7c6d7b8adf.js"></script>
+		<script src="resources/js/bootstrap-datetimepicker-25e39b7ef8.js"></script>
+		<script src="resources/js/bootstrap-select-b01896a67b.js"></script>
+		<script src="resources/js/bootstrap-table-94d3527d23.js"></script>
+		<script src="resources/js/bootstrap-table-export-00a4faa2f1.js"></script>
+		<script src="resources/js/bootstrap-table-mobile-5df5626d47.js"></script>
+		<script src="resources/js/bootstrap-table-sticky-header-e68e9836b4.js"></script>
+		<script src="resources/js/moment-d65dc6d2e6.min.js"></script>
+		<script src="resources/js/daterangepicker-048c56a690.js"></script>
+		<script src="resources/js/es6-promise-855125e6f5.js"></script>
+		<script src="resources/js/FileSaver-e73b1946e8.js"></script>
+		<script src="resources/js/html2canvas-e1d3a8d7cd.js"></script>
+		<script src="resources/js/jspdf-ff4663431d.umd.js"></script>
+		<script src="resources/js/jspdf-8ce85cc4b6.plugin.autotable.js"></script>
+		<script src="resources/js/tableExport-0df60917ca.min.js"></script>
+		<script src="resources/js/chartist-8a7ecb4445.js"></script>
+		<script src="resources/js/chartist-plugin-pointlabels-0a1ab6aa4e.js"></script>
+		<script src="resources/js/chartist-plugin-tooltip-116cb48831.js"></script>
+		<script src="resources/js/chartist-plugin-axistitle-80a1198058.js"></script>
+		<script src="resources/js/chartist-plugin-barlabels-4165273742.js"></script>
+		<script src="resources/js/bootstrap-notify-376bc6eb87.js"></script>
+		<script src="resources/js/js-fa93e8894e.cookie.js"></script>
+		<script src="resources/js/bootstrap-tagsinput-855a7c7670.js"></script>
+		<script src="resources/js/bootstrap-toggle-1c7a19a049.js"></script>
+		<script src="resources/js/clipboard-908af414ab.js"></script>
+		<script src="resources/js/imgpreview-140c57d0ea.full.jquery.js"></script>
+		<script src="resources/js/manage_tables-a3b0622cb7.js"></script>
+		<script src="resources/js/nominatim-60392bf22a.autocomplete.js"></script>
 		<!-- endinject -->
 	<?php else : ?>
 		<!--inject:prod:css -->
+		<link rel="stylesheet" href="resources/opensourcepos-da76bf05c6.min.css">
 		<!-- endinject -->
 
 		<!-- Tweaks to the UI for a particular theme should drop here  -->
@@ -33,6 +88,8 @@ $request = Services::request();
 		<link rel="stylesheet" type="text/css" href="<?= 'css/' . esc($config['theme']) . '.css' ?>"/>
 	<?php } ?>
 		<!-- inject:prod:js -->
+		<script src="resources/jquery-2c872dbe60.min.js"></script>
+		<script src="resources/opensourcepos-43589af889.min.js"></script>
 		<!-- endinject -->
 	<?php endif; ?>
 
diff --git a/app/Views/people/manage.php b/app/Views/people/manage.php
index 10a8a68d7..f5f5f1d9c 100644
--- a/app/Views/people/manage.php
+++ b/app/Views/people/manage.php
@@ -37,7 +37,7 @@ $(document).ready(function()
 
 <div id="title_bar" class="btn-toolbar">
 	<?php
-	if ($controller_name == 'customers')	//TODO: === ?
+	if ($controller_name === 'customers')
 	{
 	?>
 		<button class='btn btn-info btn-sm pull-right modal-dlg' data-btn-submit='<?= lang('Common.submit') ?>' data-href='<?= "$controller_name/csvImport" ?>'
diff --git a/composer.json b/composer.json
index 8aab5ad10..624be7d6d 100644
--- a/composer.json
+++ b/composer.json
@@ -34,6 +34,7 @@
 		"php": "~8.1",
 		"codeigniter4/framework": "4.5.1",
 		"dompdf/dompdf": "^2.0.3",
+		"ezyang/htmlpurifier": "^4.17",
 		"laminas/laminas-escaper": "2.13.0",
 		"paragonie/random_compat": "^2.0.21",
 		"picqer/php-barcode-generator": "^2.4.0",
diff --git a/composer.lock b/composer.lock
index 7f20fb39c..9f0d07a87 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "4bc1480937958901a4c2bfc628a37350",
+    "content-hash": "48000f60a64f943cd782a03d365d0fd6",
     "packages": [
         {
             "name": "codeigniter4/framework",
@@ -142,6 +142,67 @@
             },
             "time": "2023-12-12T20:19:39+00:00"
         },
+        {
+            "name": "ezyang/htmlpurifier",
+            "version": "v4.17.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ezyang/htmlpurifier.git",
+                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/bbc513d79acf6691fa9cf10f192c90dd2957f18c",
+                "reference": "bbc513d79acf6691fa9cf10f192c90dd2957f18c",
+                "shasum": ""
+            },
+            "require": {
+                "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0"
+            },
+            "require-dev": {
+                "cerdic/css-tidy": "^1.7 || ^2.0",
+                "simpletest/simpletest": "dev-master"
+            },
+            "suggest": {
+                "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
+                "ext-bcmath": "Used for unit conversion and imagecrash protection",
+                "ext-iconv": "Converts text to and from non-UTF-8 encodings",
+                "ext-tidy": "Used for pretty-printing HTML"
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "library/HTMLPurifier.composer.php"
+                ],
+                "psr-0": {
+                    "HTMLPurifier": "library/"
+                },
+                "exclude-from-classmap": [
+                    "/library/HTMLPurifier/Language/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "LGPL-2.1-or-later"
+            ],
+            "authors": [
+                {
+                    "name": "Edward Z. Yang",
+                    "email": "admin@htmlpurifier.org",
+                    "homepage": "http://ezyang.com"
+                }
+            ],
+            "description": "Standards compliant HTML filter written in PHP",
+            "homepage": "http://htmlpurifier.org/",
+            "keywords": [
+                "html"
+            ],
+            "support": {
+                "issues": "https://github.com/ezyang/htmlpurifier/issues",
+                "source": "https://github.com/ezyang/htmlpurifier/tree/v4.17.0"
+            },
+            "time": "2023-11-17T15:01:25+00:00"
+        },
         {
             "name": "laminas/laminas-escaper",
             "version": "2.13.0",