From 527960e1a4d8461a6600398641095a1bb6ecb17d Mon Sep 17 00:00:00 2001 From: Sandra Kuipers Date: Sun, 19 May 2024 16:00:10 +0800 Subject: [PATCH] Revert "Forms: add input filtering for file paths to Validator class" This reverts commit b2fd0a0b654cae6169a8c30a28b3916334bea12d. --- src/Data/Validator.php | 14 +++++++------- src/Forms/Input/FileUpload.php | 7 ++----- src/Services/Format.php | 6 +++--- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/src/Data/Validator.php b/src/Data/Validator.php index c566d1ebeb..511a696bc2 100644 --- a/src/Data/Validator.php +++ b/src/Data/Validator.php @@ -80,8 +80,8 @@ public function sanitize($input, $allowableTags = [], $utf8_encode = true) // Check allowable fields for URLs foreach ($allowableTags as $field => $value) { - if (is_string($value) && (strtoupper($value) == 'URL' || strtoupper($value) == 'PATH')) { - $urls[$field] = strtoupper($value) == 'URL'; + if (is_string($value) && strtoupper($value) == 'URL') { + $urls[$field] = $field; } } @@ -98,10 +98,10 @@ public function sanitize($input, $allowableTags = [], $utf8_encode = true) $value = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $value); $value = preg_replace('/\\\\+0+/', '', $value); - if (isset($urls[$field])) { + if (!empty($urls[$field])) { // Sanitize URL - $value = $this->sanitizeUrl($value, $urls[$field]); - } elseif (isset($allowableTags[$field])) { + $value = $this->sanitizeUrl($value); + } elseif (!empty($allowableTags[$field])) { // Sanitize HTML if (strtoupper($allowableTags[$field]) == 'RAW') { $output[$field] = $value; @@ -194,7 +194,7 @@ public function sanitizeRichText($value) * @param string $url * @return string */ - public function sanitizeUrl($url, $protocol = true) + public function sanitizeUrl($url) { if ($url === '') return $url; @@ -205,7 +205,7 @@ public function sanitizeUrl($url, $protocol = true) $url = str_replace("'", ''', $url); // If there is no protocol, add a default one - if ($protocol && mb_stripos($url, '://') === false) { + if (mb_stripos($url, '://') === false) { $url = 'https://'.$url; } diff --git a/src/Forms/Input/FileUpload.php b/src/Forms/Input/FileUpload.php index 0a57e3d801..92e175b752 100644 --- a/src/Forms/Input/FileUpload.php +++ b/src/Forms/Input/FileUpload.php @@ -22,7 +22,6 @@ namespace Gibbon\Forms\Input; use Gibbon\Services\Format; -use Gibbon\Data\Validator; /** * TextField @@ -197,14 +196,12 @@ protected function getElement() foreach ($this->attachments as $attachmentName => $attachmentPath) { - $attachmentPath = (new Validator(''))->sanitizeUrl($attachmentPath, false); - if (!empty($attachmentPath)) { $output .= '
'; $output .= '
'; $output .= __('Current attachment:').'
'; - $output .= ''.basename($attachmentPath).''; + $output .= ''.basename($attachmentPath).''; global $session; $absolutePath = $session->get('absolutePath'); @@ -214,7 +211,7 @@ protected function getElement() $output .= '
'; - $output .= ""; + $output .= ""; if ($this->canDelete) { $attachmentNameEscaped = str_replace(['[', ']'], ['\\\\[', '\\\\]'], $attachmentName); diff --git a/src/Services/Format.php b/src/Services/Format.php index 2600fc8271..a8f9f7591c 100644 --- a/src/Services/Format.php +++ b/src/Services/Format.php @@ -892,13 +892,13 @@ public static function photo($path, $size = 75, $class = 'inline-block shadow bg $path = (string) $path; if (preg_match('/^http[s]*/', $path)) { - return sprintf('', $class, urlencode($path)); + return sprintf('', $class, $path); } else { if (empty($path) or file_exists(static::$settings['absolutePath'].'/'.$path) == false) { $path = '/themes/'.static::$settings['gibbonThemeName'].'/img/anonymous_240_square.jpg'; } - return sprintf('', $class, static::$settings['absoluteURL'].'/'.urlencode($path)); + return sprintf('', $class, static::$settings['absoluteURL'].'/'.$path); } } @@ -944,7 +944,7 @@ public static function userPhoto($path, $size = 75, $class = '') $path = '/themes/'.static::$settings['gibbonThemeName'].'/img/anonymous_'.$imageSize.'.jpg'; } - return sprintf('', $class, static::$settings['absoluteURL'].'/'.urlencode($path)); + return sprintf('', $class, static::$settings['absoluteURL'].'/'.$path); } /**