From 0147918441a85263b770340567fcdea94bbee7e5 Mon Sep 17 00:00:00 2001 From: Sandra Kuipers Date: Sun, 19 May 2024 14:49:56 +0800 Subject: [PATCH] Forms: apply input and output filtering to FileUpload fields --- modules/Data Updater/data_medicalProcess.php | 2 +- .../externalAssessment_manage_details_editProcess.php | 2 +- .../internalAssessment_manage_editProcess.php | 2 +- .../internalAssessment_write_dataProcess.php | 2 +- modules/Markbook/markbook_edit_dataProcess.php | 2 +- modules/Markbook/markbook_edit_editProcess.php | 2 +- modules/Planner/resources_manage_editProcess.php | 2 +- modules/Planner/units_editProcess.php | 2 +- modules/Reports/reporting_writeProcess.php | 3 ++- modules/Reports/reporting_write_byStudentProcess.php | 3 ++- .../School Admin/department_manage_editProcess.php | 2 +- modules/School Admin/house_manage.php | 2 +- modules/School Admin/house_manage_editProcess.php | 3 ++- modules/Staff/coverage_view_editProcess.php | 2 +- .../Staff/staff_manage_edit_contract_editProcess.php | 2 +- .../medicalForm_manage_condition_editProcess.php | 2 +- modules/System Admin/alarmProcess.php | 2 +- modules/System Admin/displaySettingsProcess.php | 2 +- modules/System Admin/systemSettingsProcess.php | 2 +- modules/User Admin/user_manage_editProcess.php | 2 +- src/Forms/CustomFieldHandler.php | 11 ++++++++++- src/Forms/PersonalDocumentHandler.php | 7 +++++-- 22 files changed, 38 insertions(+), 23 deletions(-) diff --git a/modules/Data Updater/data_medicalProcess.php b/modules/Data Updater/data_medicalProcess.php index 88ba75b142..5a2f8d2655 100644 --- a/modules/Data Updater/data_medicalProcess.php +++ b/modules/Data Updater/data_medicalProcess.php @@ -29,7 +29,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment*' => 'Path']); $gibbonPersonID = $_GET['gibbonPersonID'] ?? ''; $address = $_POST['address'] ?? ''; diff --git a/modules/Formal Assessment/externalAssessment_manage_details_editProcess.php b/modules/Formal Assessment/externalAssessment_manage_details_editProcess.php index fd7b92e178..760601c9e9 100644 --- a/modules/Formal Assessment/externalAssessment_manage_details_editProcess.php +++ b/modules/Formal Assessment/externalAssessment_manage_details_editProcess.php @@ -24,7 +24,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']); $gibbonPersonID = $_POST['gibbonPersonID'] ?? ''; $gibbonExternalAssessmentStudentID = $_POST['gibbonExternalAssessmentStudentID'] ?? ''; diff --git a/modules/Formal Assessment/internalAssessment_manage_editProcess.php b/modules/Formal Assessment/internalAssessment_manage_editProcess.php index f16a296618..5d822cb67e 100644 --- a/modules/Formal Assessment/internalAssessment_manage_editProcess.php +++ b/modules/Formal Assessment/internalAssessment_manage_editProcess.php @@ -24,7 +24,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']); $gibbonCourseClassID = $_GET['gibbonCourseClassID'] ?? ''; $gibbonInternalAssessmentColumnID = $_GET['gibbonInternalAssessmentColumnID'] ?? ''; diff --git a/modules/Formal Assessment/internalAssessment_write_dataProcess.php b/modules/Formal Assessment/internalAssessment_write_dataProcess.php index 9424fe6a25..f3fdde1694 100644 --- a/modules/Formal Assessment/internalAssessment_write_dataProcess.php +++ b/modules/Formal Assessment/internalAssessment_write_dataProcess.php @@ -24,7 +24,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']); $gibbonCourseClassID = $_GET['gibbonCourseClassID'] ?? ''; $gibbonInternalAssessmentColumnID = $_GET['gibbonInternalAssessmentColumnID'] ?? ''; diff --git a/modules/Markbook/markbook_edit_dataProcess.php b/modules/Markbook/markbook_edit_dataProcess.php index 9b09c9fdc9..2d84f69931 100644 --- a/modules/Markbook/markbook_edit_dataProcess.php +++ b/modules/Markbook/markbook_edit_dataProcess.php @@ -26,7 +26,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment*' => 'Path']); $logGateway = $container->get(LogGateway::class); $settingGateway = $container->get(SettingGateway::class); diff --git a/modules/Markbook/markbook_edit_editProcess.php b/modules/Markbook/markbook_edit_editProcess.php index cf14a5206d..59fb08b8c7 100644 --- a/modules/Markbook/markbook_edit_editProcess.php +++ b/modules/Markbook/markbook_edit_editProcess.php @@ -25,7 +25,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']); $settingGateway = $container->get(SettingGateway::class); $enableEffort = $settingGateway->getSettingByScope('Markbook', 'enableEffort'); diff --git a/modules/Planner/resources_manage_editProcess.php b/modules/Planner/resources_manage_editProcess.php index 80d520d062..04e308b9b6 100644 --- a/modules/Planner/resources_manage_editProcess.php +++ b/modules/Planner/resources_manage_editProcess.php @@ -22,7 +22,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['html' => 'HTML', 'link' => 'URL']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['html' => 'HTML', 'link' => 'URL', 'content' => 'Path']); $gibbonResourceID = $_GET['gibbonResourceID'] ?? ''; $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address'])."/resources_manage_edit.php&gibbonResourceID=$gibbonResourceID&search=".$_GET['search']; diff --git a/modules/Planner/units_editProcess.php b/modules/Planner/units_editProcess.php index cc687bb900..66c0810d49 100644 --- a/modules/Planner/units_editProcess.php +++ b/modules/Planner/units_editProcess.php @@ -24,7 +24,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['details' => 'HTML', 'contents*' => 'HTML', 'teachersNotes*' => 'HTML']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['details' => 'HTML', 'contents*' => 'HTML', 'teachersNotes*' => 'HTML', 'attachment' => 'Path']); $gibbonSchoolYearID = $_GET['gibbonSchoolYearID'] ?? ''; $gibbonCourseID = $_GET['gibbonCourseID'] ?? ''; diff --git a/modules/Reports/reporting_writeProcess.php b/modules/Reports/reporting_writeProcess.php index 7ecb4995a0..0556795ddf 100644 --- a/modules/Reports/reporting_writeProcess.php +++ b/modules/Reports/reporting_writeProcess.php @@ -55,6 +55,7 @@ $reportingCriteriaGateway = $container->get(ReportingCriteriaGateway::class); $reportingAccessGateway = $container->get(ReportingAccessGateway::class); $fileUploader = $container->get(FileUploader::class); + $validator = $container->get(Validator::class); $values = $_POST['value'] ?? []; @@ -119,7 +120,7 @@ if (!empty($_FILES['file'.$gibbonReportingCriteriaID]['tmp_name'])) { $data['value'] = $fileUploader->uploadAndResizeImage($_FILES['file'.$gibbonReportingCriteriaID], 'reportFile', $criteriaOptions['imageSize'] ?? 1024, $criteriaOptions['imageQuality'] ?? 80); } else { - $data['value'] = $value; + $data['value'] = $validator->sanitizeUrl($value, false); } } else { $data['value'] = $value; diff --git a/modules/Reports/reporting_write_byStudentProcess.php b/modules/Reports/reporting_write_byStudentProcess.php index 86abeb3ee9..048d259329 100644 --- a/modules/Reports/reporting_write_byStudentProcess.php +++ b/modules/Reports/reporting_write_byStudentProcess.php @@ -58,6 +58,7 @@ $reportingCriteriaGateway = $container->get(ReportingCriteriaGateway::class); $reportingAccessGateway = $container->get(ReportingAccessGateway::class); $fileUploader = $container->get(FileUploader::class); + $validator = $container->get(Validator::class); $values = $_POST['value'] ?? []; @@ -122,7 +123,7 @@ if (!empty($_FILES['file'.$gibbonReportingCriteriaID]['tmp_name'])) { $data['value'] = $fileUploader->uploadAndResizeImage($_FILES['file'.$gibbonReportingCriteriaID], 'reportFile', $criteriaOptions['imageSize'] ?? 1024, $criteriaOptions['imageQuality'] ?? 80); } else { - $data['value'] = $value; + $data['value'] = $validator->sanitizeUrl($value, false); } } else { $data['value'] = $value; diff --git a/modules/School Admin/department_manage_editProcess.php b/modules/School Admin/department_manage_editProcess.php index 3bb97a4319..4282175de9 100644 --- a/modules/School Admin/department_manage_editProcess.php +++ b/modules/School Admin/department_manage_editProcess.php @@ -23,7 +23,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['blurb' => 'HTML']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['blurb' => 'HTML', 'logo' => 'Path']); $gibbonDepartmentID = $_GET['gibbonDepartmentID'] ?? ''; $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_GET['address'])."/department_manage_edit.php&gibbonDepartmentID=$gibbonDepartmentID"; diff --git a/modules/School Admin/house_manage.php b/modules/School Admin/house_manage.php index ef73b3d4ff..d36c3e9fbb 100644 --- a/modules/School Admin/house_manage.php +++ b/modules/School Admin/house_manage.php @@ -56,7 +56,7 @@ ->notSortable() ->format(function($values) use ($session) { $return = null; - $return .= ($values['logo'] != '') ? "":"get('gibbonThemeName')."/img/anonymous_240_square.jpg'/>"; + $return .= ($values['logo'] != '') ? "":"get('gibbonThemeName')."/img/anonymous_240_square.jpg'/>"; return $return; }); $table->addColumn('name', __('Name')); diff --git a/modules/School Admin/house_manage_editProcess.php b/modules/School Admin/house_manage_editProcess.php index 97434460b0..9149f37eda 100644 --- a/modules/School Admin/house_manage_editProcess.php +++ b/modules/School Admin/house_manage_editProcess.php @@ -22,7 +22,8 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['logo' => 'Path']); +// $_POST = $container->get(Validator::class)->sanitize($_POST); $gibbonHouseID = $_GET['gibbonHouseID'] ?? ''; $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/house_manage_edit.php&gibbonHouseID='.$gibbonHouseID; diff --git a/modules/Staff/coverage_view_editProcess.php b/modules/Staff/coverage_view_editProcess.php index 0fa2ec3aba..a81179b122 100644 --- a/modules/Staff/coverage_view_editProcess.php +++ b/modules/Staff/coverage_view_editProcess.php @@ -25,7 +25,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['text' => 'HTML', 'link' => 'URL']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['text' => 'HTML', 'link' => 'URL', 'attachment' => 'Path']); $gibbonStaffCoverageID = $_POST['gibbonStaffCoverageID'] ?? ''; diff --git a/modules/Staff/staff_manage_edit_contract_editProcess.php b/modules/Staff/staff_manage_edit_contract_editProcess.php index aff30b1c1f..bf5f671197 100644 --- a/modules/Staff/staff_manage_edit_contract_editProcess.php +++ b/modules/Staff/staff_manage_edit_contract_editProcess.php @@ -24,7 +24,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['contractUpload' => 'Path']); $gibbonStaffID = $_GET['gibbonStaffID'] ?? ''; $gibbonStaffContractID = $_GET['gibbonStaffContractID'] ?? ''; diff --git a/modules/Students/medicalForm_manage_condition_editProcess.php b/modules/Students/medicalForm_manage_condition_editProcess.php index ea7a2ea69d..319eb91f25 100644 --- a/modules/Students/medicalForm_manage_condition_editProcess.php +++ b/modules/Students/medicalForm_manage_condition_editProcess.php @@ -29,7 +29,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachment' => 'Path']); $gibbonPersonMedicalID = $_GET['gibbonPersonMedicalID'] ?? ''; $gibbonPersonMedicalConditionID = $_GET['gibbonPersonMedicalConditionID'] ?? ''; diff --git a/modules/System Admin/alarmProcess.php b/modules/System Admin/alarmProcess.php index 61be04c41d..ba3629b94e 100644 --- a/modules/System Admin/alarmProcess.php +++ b/modules/System Admin/alarmProcess.php @@ -25,7 +25,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['attachmentCurrent' => 'Path']); $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/alarm.php'; diff --git a/modules/System Admin/displaySettingsProcess.php b/modules/System Admin/displaySettingsProcess.php index 517f901ab7..550397a9ea 100644 --- a/modules/System Admin/displaySettingsProcess.php +++ b/modules/System Admin/displaySettingsProcess.php @@ -25,7 +25,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['organisationLogo' => 'Path', 'organisationBackground' => 'Path']); $URL = $session->get('absoluteURL').'/index.php?q=/modules/'.getModuleName($_POST['address']).'/displaySettings.php'; diff --git a/modules/System Admin/systemSettingsProcess.php b/modules/System Admin/systemSettingsProcess.php index 48408a0d9d..d3266f20bf 100644 --- a/modules/System Admin/systemSettingsProcess.php +++ b/modules/System Admin/systemSettingsProcess.php @@ -25,7 +25,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['indexText' => 'HTML', 'analytics' => 'RAW', 'emailLink' => 'URL', 'webLink' => 'URL']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['indexText' => 'HTML', 'analytics' => 'RAW', 'emailLink' => 'URL', 'webLink' => 'URL', 'organisationLogo' => 'Path']); include '../../config.php'; // Module includes diff --git a/modules/User Admin/user_manage_editProcess.php b/modules/User Admin/user_manage_editProcess.php index 8f4603c29a..8f1dc552be 100644 --- a/modules/User Admin/user_manage_editProcess.php +++ b/modules/User Admin/user_manage_editProcess.php @@ -30,7 +30,7 @@ require_once '../../gibbon.php'; -$_POST = $container->get(Validator::class)->sanitize($_POST, ['website' => 'URL']); +$_POST = $container->get(Validator::class)->sanitize($_POST, ['website' => 'URL', 'attachment1' => 'Path']); //Module includes include './moduleFunctions.php'; diff --git a/src/Forms/CustomFieldHandler.php b/src/Forms/CustomFieldHandler.php index 4f45e561ae..2d89b6984a 100644 --- a/src/Forms/CustomFieldHandler.php +++ b/src/Forms/CustomFieldHandler.php @@ -22,6 +22,7 @@ namespace Gibbon\Forms; use Gibbon\FileUploader; +use Gibbon\Data\Validator; use Gibbon\Services\Format; use Gibbon\Tables\DataTable; use Gibbon\Domain\System\CustomFieldGateway; @@ -38,6 +39,11 @@ class CustomFieldHandler */ protected $fileUploader; + /** + * @var \Gibbon\Validator + */ + protected $validator; + /** * @var string[][] */ @@ -53,10 +59,11 @@ class CustomFieldHandler */ protected $headings; - public function __construct(CustomFieldGateway $customFieldGateway, FileUploader $fileUploader) + public function __construct(CustomFieldGateway $customFieldGateway, FileUploader $fileUploader, Validator $validator) { $this->customFieldGateway = $customFieldGateway; $this->fileUploader = $fileUploader; + $this->validator = $validator; $this->contexts = [ __('User Admin') => [ @@ -228,6 +235,8 @@ public function getFieldValueFromPOST($fieldName, $fieldType) // Upload the file, return the /uploads relative path $fieldValue = $this->fileUploader->uploadFromPost($file, $fieldName); + } else { + $fieldValue = $this->validator->sanitizeUrl($fieldValue, false); } } diff --git a/src/Forms/PersonalDocumentHandler.php b/src/Forms/PersonalDocumentHandler.php index 098aa34662..f51cb1bb0b 100644 --- a/src/Forms/PersonalDocumentHandler.php +++ b/src/Forms/PersonalDocumentHandler.php @@ -23,6 +23,7 @@ use Gibbon\View\View; use Gibbon\FileUploader; +use Gibbon\Data\Validator; use Gibbon\Services\Format; use Gibbon\Domain\System\SettingGateway; use Gibbon\Domain\User\PersonalDocumentGateway; @@ -31,16 +32,18 @@ class PersonalDocumentHandler { protected $personalDocumentGateway; protected $fileUploader; + protected $validator; protected $settingGateway; protected $view; protected $documents; protected $fields; - public function __construct(PersonalDocumentGateway $personalDocumentGateway, FileUploader $fileUploader, View $view, SettingGateway $settingGateway) + public function __construct(PersonalDocumentGateway $personalDocumentGateway, FileUploader $fileUploader, Validator $validator, View $view, SettingGateway $settingGateway) { $this->personalDocumentGateway = $personalDocumentGateway; $this->fileUploader = $fileUploader; + $this->validator = $validator; $this->settingGateway = $settingGateway; $this->view = $view; @@ -100,7 +103,7 @@ public function updateDocumentsFromPOST($foreignTable = null, $foreignTableID = $personalDocumentFail = true; } } else { - $data[$field] = $attachment; + $data[$field] = $this->validator->sanitizeUrl($attachment, false); } } else { // Handle all other data