XSS mitigation features (#4041)

* Remove HtmlPurifier calls - All calls to Services::htmlPurifier()->purify() removed from data received from view. - Bootstrap and bootswatch bump in package-lock.json Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Customers Controller - Refactored code for clarity - Replaced == with === operator to prevent type juggling - Added Sanitization of Customer data before being sent to the view Signed-off-by: objecttothis <objecttothis@gmail.com> * Bump bootstrap-table to 1.23.1 - Bump bootstrap-table to 1.23.1 in attempt to resolve issue with sticky headers - Sanitize attribute data in tables - Sanitize item data with controller function. Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> * Minor changes - Refactored for code clarity. - Removed extra blank lines. - Minor reformatting. - Added PHPdocs - bumped bootstrap-table to 1.23.2 Signed-off-by: objecttothis <objecttothis@gmail.com> * Pre-view filtering Items Controller - Refactored code for clarity - Created and called sanitization functions. - Sanitize TEXT type Attributes before being sent to the view. Signed-off-by: objecttothis <objecttothis@gmail.com> * Sanitize Item data - Sanitize category and item_number before display in forms. - refactor check in pic_filename for empty to be best practices compliant. - Added TODO Signed-off-by: objecttothis <objecttothis@gmail.com> --------- Signed-off-by: objecttothis <objecttothis@gmail.com> Co-authored-by: objecttothis <objecttothis@gmail.com>
2026-04-04 07:12:48 -04:00 · 2024-08-26 09:35:56 +02:00
parent 402997f0da
commit f49d763254
25 changed files with 158 additions and 88 deletions
--- a/app/Controllers/Items.php
+++ b/app/Controllers/Items.php
@@ -94,7 +94,7 @@ class Items extends Secure_Controller
 	 **/
 	public function getSearch(): void
 	{
-		$search = Services::htmlPurifier()->purify($this->request->getGet('search'));
+		$search = $this->request->getGet('search');
 		$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
 		$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
 		$sort = $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -182,7 +182,7 @@ class Items extends Secure_Controller
 			'is_deleted' => $this->request->getPost('is_deleted') !== null
 		];

-		$search = Services::htmlPurifier()->purify($this->request->getPost('term'));
+		$search = $this->request->getPost('term');
 		$suggestions = $this->item->get_search_suggestions($search, $options);

 		echo json_encode($suggestions);
@@ -195,7 +195,7 @@ class Items extends Secure_Controller
 	 */
 	public function getSuggest(): void
 	{
-		$search = Services::htmlPurifier()->purify($this->request->getPost('term'));
+		$search = $this->request->getPost('term');
 		$suggestions = $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true);

 		echo json_encode($suggestions);
@@ -267,7 +267,7 @@ class Items extends Secure_Controller
 	 * @param int $item_id
 	 * @return void
 	 */
-	public function getView(int $item_id = NEW_ENTRY): void	//TODO: Super long function.  Perhaps we need to refactor out some methods.
+	public function getView(int $item_id = NEW_ENTRY): void	//TODO: Long function. Perhaps we need to refactor out some methods.
 	{
 		// Set default values
 		if($item_id == null) $item_id = NEW_ENTRY;
@@ -277,8 +277,7 @@ class Items extends Secure_Controller
 			$data = [];
 		}

-		//allow_temp_items is set in the index function of items.php or sales.php
-		$data['allow_temp_item'] = $this->session->get('allow_temp_items');
+		$data['allow_temp_item'] = $this->session->get('allow_temp_items'); //allow_temp_items is set in the index function of items.php or sales.php
 		$data['item_tax_info'] = $this->item_taxes->get_info($item_id);
 		$data['default_tax_1_rate'] = '';
 		$data['default_tax_2_rate'] = '';
@@ -316,7 +315,7 @@ class Items extends Secure_Controller

 			$item_info->receiving_quantity = 1;
 			$item_info->reorder_level = 1;
-			$item_info->item_type = ITEM;	//Standard
+			$item_info->item_type = ITEM;    //Standard
 			$item_info->item_id = $item_id;
 			$item_info->stock_type = HAS_STOCK;
 			$item_info->tax_category_id = null;
@@ -328,7 +327,6 @@ class Items extends Secure_Controller
 				$item_info->tax_category_id = $this->config['default_tax_category'];
 			}
 		}
-
 		$data['standard_item_locked'] = (
 			$data['item_kit_disabled']
 			&& $item_info->item_type == ITEM_KIT
@@ -348,14 +346,9 @@ class Items extends Secure_Controller
 		$data['suppliers'] = $suppliers;
 		$data['selected_supplier'] = $item_info->supplier_id;

-		if($data['include_hsn'])	//TODO: Transform this to ternary notation
-		{
-			$data['hsn_code'] = $item_info->hsn_code;
-		}
-		else
-		{
-			$data['hsn_code'] = '';
-		}
+		$data['hsn_code'] = $data['include_hsn']
+			? $item_info->hsn_code
+			: '';

 		if($use_destination_based_tax)
 		{
@@ -428,7 +421,9 @@ class Items extends Secure_Controller
 			$data['selected_low_sell_item'] = '';
 		}

-		echo view('items/form', $data);
+		$sanitized_data = $this->sanitizeItemData($data);
+
+		echo view('items/form', $sanitized_data);
 	}

 	/**
@@ -555,7 +550,9 @@ class Items extends Secure_Controller
 			unset($data['definition_names'][$definition_id]);
 		}

-		echo view('attributes/item', $data);
+		$sanitized_data = $this->sanitizeAttributeData($data);
+
+		echo view('attributes/item', $sanitized_data);
 	}

 	/**
@@ -1443,4 +1440,40 @@ class Items extends Secure_Controller
 			}
 		}
 	}
+
+	/**
+	 * Sanitizes unsafe data prior to sending it to the view.
+	 * This is not meant to replace CI4 sanitization.
+	 *
+	 * @param array $data
+	 * @return array
+	 */
+	private function sanitizeItemData(array $data): array
+	{
+		$data['item_info']->category = Services::htmlPurifier()->purify($data['item_info']->category);
+		$data['item_info']->item_number = Services::htmlPurifier()->purify($data['item_info']->item_number);
+		$data['item_info']->description = Services::htmlPurifier()->purify($data['item_info']->description);
+
+		return $data;
+	}
+
+	/**
+	 * Sanitizes TEXT type attribute values to remove unsafe HTML tags and javascript.
+	 * This is not meant to replace CI4 sanitization.
+	 *
+	 * @param array $data Attribute data to sanitize.
+	 * @return array Sanitized Attribute data.
+	 */
+	private function sanitizeAttributeData(array $data): array
+	{
+		foreach($data['definition_values'] as $definition_id => &$definition_values)
+		{
+			if($definition_values['definition_type'] === 'TEXT')
+			{
+				$definition_values['attribute_value']->attribute_value = Services::htmlPurifier()->purify($definition_values['attribute_value']->attribute_value);
+			}
+		}
+
+		return $data;
+	}
 }