Forms: apply input and output filtering to FileUpload fields

modules/Data Updater/data_medicalProcess.php

@@ -29,7 +29,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment*' => 'Path']);
 
 $gibbonPersonID = $_GET['gibbonPersonID'] ?? '';
 $address = $_POST['address'] ?? '';

modules/Formal Assessment/externalAssessment_manage_details_editProcess.php

@@ -24,7 +24,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']);
 
 $gibbonPersonID = $_POST['gibbonPersonID'] ?? '';
 $gibbonExternalAssessmentStudentID = $_POST['gibbonExternalAssessmentStudentID'] ?? '';

modules/Formal Assessment/internalAssessment_manage_editProcess.php

@@ -24,7 +24,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']);
 
 $gibbonCourseClassID = $_GET['gibbonCourseClassID'] ?? '';
 $gibbonInternalAssessmentColumnID = $_GET['gibbonInternalAssessmentColumnID'] ?? '';

modules/Formal Assessment/internalAssessment_write_dataProcess.php

@@ -24,7 +24,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']);
 
 $gibbonCourseClassID = $_GET['gibbonCourseClassID'] ?? '';
 $gibbonInternalAssessmentColumnID = $_GET['gibbonInternalAssessmentColumnID'] ?? '';

modules/Markbook/markbook_edit_dataProcess.php

@@ -26,7 +26,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment*' => 'Path']);
 
 $logGateway = $container->get(LogGateway::class);
 $settingGateway = $container->get(SettingGateway::class);

modules/Markbook/markbook_edit_editProcess.php

@@ -25,7 +25,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']);
 
 $settingGateway = $container->get(SettingGateway::class);
 $enableEffort = $settingGateway->getSettingByScope('Markbook', 'enableEffort');

modules/Planner/resources_manage_editProcess.php

@@ -22,7 +22,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['html' => 'HTML', 'link' => 'URL']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['html' => 'HTML', 'link' => 'URL', 'content' => 'Path']);
 
 $gibbonResourceID = $_GET['gibbonResourceID'] ?? '';
 $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address'])."/resources_manage_edit.php&gibbonResourceID=$gibbonResourceID&search=".$_GET['search'];

modules/Planner/units_editProcess.php

@@ -24,7 +24,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['details' => 'HTML', 'contents*' => 'HTML', 'teachersNotes*' => 'HTML']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['details' => 'HTML', 'contents*' => 'HTML', 'teachersNotes*' => 'HTML', 'attachment' => 'Path']);
 
 $gibbonSchoolYearID = $_GET['gibbonSchoolYearID'] ?? '';
 $gibbonCourseID = $_GET['gibbonCourseID'] ?? '';

modules/Reports/reporting_writeProcess.php

@@ -55,6 +55,7 @@
     $reportingCriteriaGateway = $container->get(ReportingCriteriaGateway::class);
     $reportingAccessGateway = $container->get(ReportingAccessGateway::class);
     $fileUploader = $container->get(FileUploader::class);
+    $validator = $container->get(Validator::class);
 
     $values = $_POST['value'] ?? [];
 
@@ -119,7 +120,7 @@
             if (!empty($_FILES['file'.$gibbonReportingCriteriaID]['tmp_name'])) {
                 $data['value'] = $fileUploader->uploadAndResizeImage($_FILES['file'.$gibbonReportingCriteriaID], 'reportFile', $criteriaOptions['imageSize'] ?? 1024, $criteriaOptions['imageQuality'] ?? 80);
             } else {
-                $data['value'] = $value;
+                $data['value'] = $validator->sanitizeUrl($value, false);
             }
         } else {
             $data['value'] = $value;

modules/Reports/reporting_write_byStudentProcess.php

@@ -58,6 +58,7 @@
     $reportingCriteriaGateway = $container->get(ReportingCriteriaGateway::class);
     $reportingAccessGateway = $container->get(ReportingAccessGateway::class);
     $fileUploader = $container->get(FileUploader::class);
+    $validator = $container->get(Validator::class);
 
     $values = $_POST['value'] ?? [];
 
@@ -122,7 +123,7 @@
             if (!empty($_FILES['file'.$gibbonReportingCriteriaID]['tmp_name'])) {
                 $data['value'] = $fileUploader->uploadAndResizeImage($_FILES['file'.$gibbonReportingCriteriaID], 'reportFile', $criteriaOptions['imageSize'] ?? 1024, $criteriaOptions['imageQuality'] ?? 80);
             } else {
-                $data['value'] = $value;
+                $data['value'] = $validator->sanitizeUrl($value, false);
             }
         } else {
             $data['value'] = $value;

modules/School Admin/department_manage_editProcess.php

@@ -23,7 +23,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['blurb' => 'HTML']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['blurb' => 'HTML', 'logo' => 'Path']);
 
 $gibbonDepartmentID = $_GET['gibbonDepartmentID'] ?? '';
 $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_GET['address'])."/department_manage_edit.php&gibbonDepartmentID=$gibbonDepartmentID";

modules/School Admin/house_manage.php

@@ -56,7 +56,7 @@
     ->notSortable()
     ->format(function($values) use ($session) {
         $return = null;
-        $return .= ($values['logo'] != '') ? "<img class='user' style='max-width: 75px' src='".$session->get('absoluteURL').'/'.$values['logo']."'/>":"<img class='user' style='max-width: 75px' src='".$session->get('absoluteURL').'/themes/'.$session->get('gibbonThemeName')."/img/anonymous_240_square.jpg'/>";
+        $return .= ($values['logo'] != '') ? "<img class='user' style='max-width: 75px' src='".$session->get('absoluteURL').'/'.urlencode($values['logo'])."'/>":"<img class='user' style='max-width: 75px' src='".$session->get('absoluteURL').'/themes/'.$session->get('gibbonThemeName')."/img/anonymous_240_square.jpg'/>";
         return $return;
     });
     $table->addColumn('name', __('Name'));

modules/School Admin/house_manage_editProcess.php

@@ -22,7 +22,8 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['logo' => 'Path']);
+// $_POST = $container->get(Validator::class)->sanitize($_POST);
 
 $gibbonHouseID = $_GET['gibbonHouseID'] ?? '';
 $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/house_manage_edit.php&gibbonHouseID='.$gibbonHouseID;

modules/Staff/coverage_view_editProcess.php

@@ -25,7 +25,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['text' => 'HTML', 'link' => 'URL']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['text' => 'HTML', 'link' => 'URL', 'attachment' => 'Path']);
 
 $gibbonStaffCoverageID = $_POST['gibbonStaffCoverageID'] ?? '';
 

modules/Staff/staff_manage_edit_contract_editProcess.php

@@ -24,7 +24,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['contractUpload' => 'Path']);
 
 $gibbonStaffID = $_GET['gibbonStaffID'] ?? '';
 $gibbonStaffContractID = $_GET['gibbonStaffContractID'] ?? '';

modules/Students/medicalForm_manage_condition_editProcess.php

@@ -29,7 +29,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']);
 
 $gibbonPersonMedicalID = $_GET['gibbonPersonMedicalID'] ?? '';
 $gibbonPersonMedicalConditionID = $_GET['gibbonPersonMedicalConditionID'] ?? '';

modules/System Admin/alarmProcess.php

@@ -25,7 +25,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachmentCurrent' => 'Path']);
 
 $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/alarm.php';
 

modules/System Admin/displaySettingsProcess.php

@@ -25,7 +25,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['organisationLogo' => 'Path', 'organisationBackground' => 'Path']);
 
 $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/displaySettings.php';
 

modules/System Admin/systemSettingsProcess.php

@@ -25,7 +25,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['indexText' => 'HTML', 'analytics' => 'RAW', 'emailLink' => 'URL', 'webLink' => 'URL']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['indexText' => 'HTML', 'analytics' => 'RAW', 'emailLink' => 'URL', 'webLink' => 'URL', 'organisationLogo' => 'Path']);
 include '../../config.php';
 
 // Module includes

modules/User Admin/user_manage_editProcess.php

@@ -30,7 +30,7 @@
 
 require_once '../../gibbon.php';
 
-$_POST = $container->get(Validator::class)->sanitize($_POST, ['website' => 'URL']);
+$_POST = $container->get(Validator::class)->sanitize($_POST, ['website' => 'URL', 'attachment1' => 'Path']);
 
 //Module includes
 include './moduleFunctions.php';

src/Forms/CustomFieldHandler.php

@@ -22,6 +22,7 @@
 namespace Gibbon\Forms;
 
 use Gibbon\FileUploader;
+use Gibbon\Data\Validator;
 use Gibbon\Services\Format;
 use Gibbon\Tables\DataTable;
 use Gibbon\Domain\System\CustomFieldGateway;
@@ -38,6 +39,11 @@ class CustomFieldHandler
      */
     protected $fileUploader;
 
+    /**
+     * @var \Gibbon\Validator
+     */
+    protected $validator;
+
     /**
      * @var string[][]
      */
@@ -53,10 +59,11 @@ class CustomFieldHandler
      */
     protected $headings;
 
-    public function __construct(CustomFieldGateway $customFieldGateway, FileUploader $fileUploader)
+    public function __construct(CustomFieldGateway $customFieldGateway, FileUploader $fileUploader, Validator $validator)
     {
         $this->customFieldGateway = $customFieldGateway;
         $this->fileUploader = $fileUploader;
+        $this->validator = $validator;
 
         $this->contexts = [
             __('User Admin') => [
@@ -228,6 +235,8 @@ public function getFieldValueFromPOST($fieldName, $fieldType)
 
                 // Upload the file, return the /uploads relative path
                 $fieldValue = $this->fileUploader->uploadFromPost($file, $fieldName);
+            } else {
+                $fieldValue = $this->validator->sanitizeUrl($fieldValue, false);
             }
         }
 

src/Forms/PersonalDocumentHandler.php

@@ -23,6 +23,7 @@
 
 use Gibbon\View\View;
 use Gibbon\FileUploader;
+use Gibbon\Data\Validator;
 use Gibbon\Services\Format;
 use Gibbon\Domain\System\SettingGateway;
 use Gibbon\Domain\User\PersonalDocumentGateway;
@@ -31,16 +32,18 @@ class PersonalDocumentHandler
 {
     protected $personalDocumentGateway;
     protected $fileUploader;
+    protected $validator;
     protected $settingGateway;
     protected $view;
 
     protected $documents;
     protected $fields;
 
-    public function __construct(PersonalDocumentGateway $personalDocumentGateway, FileUploader $fileUploader, View $view, SettingGateway $settingGateway)
+    public function __construct(PersonalDocumentGateway $personalDocumentGateway, FileUploader $fileUploader, Validator $validator, View $view, SettingGateway $settingGateway)
     {
         $this->personalDocumentGateway = $personalDocumentGateway;
         $this->fileUploader = $fileUploader;
+        $this->validator = $validator;
         $this->settingGateway = $settingGateway;
         $this->view = $view;
 
@@ -100,7 +103,7 @@ public function updateDocumentsFromPOST($foreignTable = null, $foreignTableID =
                             $personalDocumentFail = true;
                         }
                     } else {
-                        $data[$field] = $attachment;
+                        $data[$field] = $this->validator->sanitizeUrl($attachment, false);
                     }
                 } else {
                     // Handle all other data