From a6b674e995b7dec0e286eca6736f59e8b62972f7 Mon Sep 17 00:00:00 2001 From: objecttothis Date: Mon, 25 Mar 2024 18:52:36 +0400 Subject: [PATCH] Barcode & escaping - Removed overflow-visible as it is not needed. - Bumped TamTamChik/nameCase to latest. - Workaround to prevent nameCase from capitalizing the first letter of html entities - Autoload security_helper.php - Develop means of escaping outputs without encoding characters we don't want encoded. - proof of concept in form_basic_info.php --- app/Config/Autoload.php | 3 ++- app/Controllers/Persons.php | 9 ++++++--- app/Helpers/security_helper.php | 12 ++++++++++++ app/Libraries/Barcode_lib.php | 3 +-- app/Models/Customer.php | 1 - app/Views/people/form_basic_info.php | 22 ++++++++++----------- composer.json | 2 +- composer.lock | 29 ++++++++++++++-------------- 8 files changed, 48 insertions(+), 33 deletions(-) diff --git a/app/Config/Autoload.php b/app/Config/Autoload.php index 1d198af68..fad34fb74 100644 --- a/app/Config/Autoload.php +++ b/app/Config/Autoload.php @@ -208,6 +208,7 @@ class Autoload extends AutoloadConfig 'form', 'cookie', 'tabular', - 'locale' + 'locale', + 'security' ]; } diff --git a/app/Controllers/Persons.php b/app/Controllers/Persons.php index 603eee8bf..34290f308 100644 --- a/app/Controllers/Persons.php +++ b/app/Controllers/Persons.php @@ -3,7 +3,7 @@ namespace App\Controllers; use App\Models\Person; -use CodeIgniter\Model; +use function \Tamtamchik\NameCase\str_name_case; abstract class Persons extends Secure_Controller { @@ -59,8 +59,11 @@ abstract class Persons extends Secure_Controller * * returns John O'Grady-Smith */ - protected function nameize(string $string): string //TODO: The parameter should not be named $string. Should also think about renaming the function. The term is Proper Noun Capitalization, so perhaps something more reflective of that. + protected function nameize(string $input): string { - return str_name_case($string); + $adjusted_name = str_name_case($input); + + // Use preg_replace to match HTML entities and convert them to lowercase. + return preg_replace_callback('/&[a-zA-Z0-9#]+;/', function($matches) { return strtolower($matches[0]); }, $adjusted_name); } } diff --git a/app/Helpers/security_helper.php b/app/Helpers/security_helper.php index 18e6d5bc2..addc1f158 100644 --- a/app/Helpers/security_helper.php +++ b/app/Helpers/security_helper.php @@ -119,3 +119,15 @@ function remove_backup() } log_message('info', "File $backup_path has been removed"); } + +function html_limited_decode(string $original, array $safe_characters): string +{ + $search = esc($safe_characters); + $replace = $safe_characters; + return str_replace($search, $replace, $original); +} + +function esc_safe(string $input): string +{ + return htmlentities($input, ENT_QUOTES, 'UTF-8', false) === $input ? $input : esc($input); +} diff --git a/app/Libraries/Barcode_lib.php b/app/Libraries/Barcode_lib.php index 5ee45ebd7..8c7dec635 100644 --- a/app/Libraries/Barcode_lib.php +++ b/app/Libraries/Barcode_lib.php @@ -4,7 +4,6 @@ namespace App\Libraries; use Config\OSPOS; use Exception; -use Picqer\Barcode\BarcodeGeneratorPNG; use Picqer\Barcode\BarcodeGeneratorSVG; /** @@ -155,7 +154,7 @@ class Barcode_lib $display_table = ''; $display_table .= ''; $barcode = $this->generate_barcode($item, $barcode_config); - $display_table .= '"; + $display_table .= '"; $display_table .= ''; $display_table .= ''; $display_table .= '
' . $this->manage_display_layout($barcode_config['barcode_first_row'], $item, $barcode_config) . '
$barcode
$barcode
' . $this->manage_display_layout($barcode_config['barcode_second_row'], $item, $barcode_config) . '
' . $this->manage_display_layout($barcode_config['barcode_third_row'], $item, $barcode_config) . '
'; diff --git a/app/Models/Customer.php b/app/Models/Customer.php index e48e4fafc..beacf6f8e 100644 --- a/app/Models/Customer.php +++ b/app/Models/Customer.php @@ -229,7 +229,6 @@ class Customer extends Person public function save_customer(array &$person_data, array &$customer_data, int $customer_id = NEW_ENTRY): bool { $success = false; - $this->db->transStart(); if(parent::save_value($person_data, $customer_id)) diff --git a/app/Views/people/form_basic_info.php b/app/Views/people/form_basic_info.php index e258e83d8..01b90575a 100644 --- a/app/Views/people/form_basic_info.php +++ b/app/Views/people/form_basic_info.php @@ -11,7 +11,7 @@ 'name' => 'first_name', 'id' => 'first_name', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->first_name)) + 'value' => html_limited_decode(esc_safe($person_info->first_name), ['\'']) ]) ?> @@ -23,7 +23,7 @@ 'name' => 'last_name', 'id' => 'last_name', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->last_name)) + 'value' => html_limited_decode(esc_safe($person_info->last_name), ['\'']) ]) ?> @@ -62,7 +62,7 @@ 'name' => 'email', 'id' => 'email', 'class' => 'form-control input-sm', - 'value' => $person_info->email + 'value' => esc($person_info->email) ]) ?> @@ -77,7 +77,7 @@ 'name' => 'phone_number', 'id' => 'phone_number', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->phone_number)) + 'value' => esc($person_info->phone_number) ]) ?> @@ -90,7 +90,7 @@ 'name' => 'address_1', 'id' => 'address_1', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->address_1)) + 'value' => esc($person_info->address_1) ]) ?> @@ -102,7 +102,7 @@ 'name' => 'address_2', 'id' => 'address_2', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->address_2)) + 'value' => esc($person_info->address_2) ]) ?> @@ -114,7 +114,7 @@ 'name' => 'city', 'id' => 'city', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->city)) + 'value' => html_limited_decode(esc($person_info->city), ['\'']) ]) ?> @@ -126,7 +126,7 @@ 'name' => 'state', 'id' => 'state', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->state)) + 'value' => esc($person_info->state) ]) ?> @@ -138,7 +138,7 @@ 'name' => 'zip', 'id' => 'postcode', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->zip)) + 'value' => esc($person_info->zip) ]) ?> @@ -150,7 +150,7 @@ 'name' => 'country', 'id' => 'country', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->country)) + 'value' => html_limited_decode(esc($person_info->country), ['\'']) ]) ?> @@ -162,7 +162,7 @@ 'name' => 'comments', 'id' => 'comments', 'class' => 'form-control input-sm', - 'value' => esc(html_entity_decode($person_info->comments)) + 'value' => html_limited_decode(esc($person_info->comments), ['\'', '&', '"']) ]) ?> diff --git a/composer.json b/composer.json index 0577681bb..641094761 100644 --- a/composer.json +++ b/composer.json @@ -30,7 +30,7 @@ "paragonie/random_compat": "^2.0.21", "picqer/php-barcode-generator": "^2.4.0", "psr/log": "^1.1", - "tamtamchik/namecase": "^1.0.6" + "tamtamchik/namecase": "^3.0.0" }, "require-dev": { "codeigniter/coding-standard": "^1.7", diff --git a/composer.lock b/composer.lock index 227d0c334..3a85296d3 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "c3dab086db00c12326789bba4fc940d8", + "content-hash": "aa9d3e97f50d42618e1c9e4ae34eca4b", "packages": [ { "name": "codeigniter4/framework", @@ -620,36 +620,37 @@ }, { "name": "tamtamchik/namecase", - "version": "1.0.6", + "version": "3.0.0", "source": { "type": "git", "url": "https://github.com/tamtamchik/namecase.git", - "reference": "9e16fb72e99b42cc17e4994420c7ac591497682f" + "reference": "f963f321a3afbde83f1bb1bda1d53b848c7015dd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/tamtamchik/namecase/zipball/9e16fb72e99b42cc17e4994420c7ac591497682f", - "reference": "9e16fb72e99b42cc17e4994420c7ac591497682f", + "url": "https://api.github.com/repos/tamtamchik/namecase/zipball/f963f321a3afbde83f1bb1bda1d53b848c7015dd", + "reference": "f963f321a3afbde83f1bb1bda1d53b848c7015dd", "shasum": "" }, "require": { "ext-mbstring": "*", - "php": ">=5.4.0" + "php": ">=7.3" }, "require-dev": { - "phpunit/phpunit": "4.*", - "scrutinizer/ocular": "1.*" + "phpunit/phpunit": "^9", + "scrutinizer/ocular": "^1" }, "type": "library", "extra": { "branch-alias": { - "dev-master": "2.0-dev", - "1.0.x": "1.0.x-dev" + "dev-master": "3.0-dev", + "2.x": "2.x-dev", + "1.x": "1.x-dev" } }, "autoload": { "files": [ - "src/functions.php" + "src/function.php" ], "psr-4": { "Tamtamchik\\NameCase\\": "src" @@ -663,7 +664,7 @@ { "name": "Yuri Tkachenko", "email": "yuri.tam.tkachenko@gmail.com", - "homepage": "http://tamtamchika.net" + "homepage": "https://tamtamchika.net" } ], "description": "This package allows you to convert names into the correct case where possible.", @@ -677,9 +678,9 @@ ], "support": { "issues": "https://github.com/tamtamchik/namecase/issues", - "source": "https://github.com/tamtamchik/namecase/tree/1.0.x" + "source": "https://github.com/tamtamchik/namecase/tree/3.0.0" }, - "time": "2020-03-05T09:03:13+00:00" + "time": "2023-01-26T15:07:18+00:00" } ], "packages-dev": [