From 08c21fe7ca76ca1c762cff6cc43ff089d8c56f7c Mon Sep 17 00:00:00 2001 From: Genaro Contreras Gutierrez Date: Tue, 30 Jul 2019 08:29:17 -0700 Subject: [PATCH 1/4] Prevent XSS attack since function get_request The $preventXSS parameter was added to the get_request function to avoid XSS attacks. It was not set by default as $preventXSS=true, because it can affect fields such as passwords. Using "htmlspecialchars" and "addslashes" functions of PHP. --- lib/functions.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/functions.php b/lib/functions.php index c7498ba..470fb3b 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -651,7 +651,7 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) { * * @return The form GET/REQUEST/SESSION/POST variable value or its default */ -function get_request($attr,$type='POST',$die=false,$default=null) { +function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=false) { switch($type) { case 'GET': $value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default; @@ -670,7 +670,7 @@ function get_request($attr,$type='POST',$die=false,$default=null) { $value = isset($_POST[$attr]) ? (is_array($_POST[$attr]) ? $_POST[$attr] : (empty($_POST['nodecode'][$attr]) ? rawurldecode($_POST[$attr]) : $_POST[$attr])) : $default; break; } - + if ($die && is_null($value)) system_message(array( 'title'=>_('Generic Error'), @@ -678,7 +678,8 @@ function get_request($attr,$type='POST',$die=false,$default=null) { basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type), 'type'=>'error'), 'index.php'); - + if(!is_null($value)) + $value = htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8'); return $value; } From 25cbb26e1dce74d1f0bd68b3db5c8923e5597092 Mon Sep 17 00:00:00 2001 From: Genaro Contreras Gutierrez Date: Tue, 30 Jul 2019 08:38:14 -0700 Subject: [PATCH 2/4] update function get_request to preventXSS The XSS prevent function was created and used --- lib/functions.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/functions.php b/lib/functions.php index 470fb3b..e698f42 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -675,15 +675,22 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=fal system_message(array( 'title'=>_('Generic Error'), 'body'=>sprintf('%s: Called "%s" without "%s" using "%s"', - basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type), + basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),preventXSS($attr),preventXSS($type)), 'type'=>'error'), 'index.php'); - if(!is_null($value)) - $value = htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8'); + if($preventXSS && !is_null($value)) + $value = preventXSS($value); return $value; } - /** +* Prevent XSS function +* +*/ +function preventXSS($value){ + return htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8'); +} + + * Record a system message. * This function can be used as an alternative to generate a system message, if page hasnt yet been defined. */ From c22c98c463b81cb51cc0ba460db5ca712939a3f0 Mon Sep 17 00:00:00 2001 From: Genaro Contreras Gutierrez Date: Tue, 30 Jul 2019 08:44:10 -0700 Subject: [PATCH 3/4] update get_request when an error occurs Example to use to prevent XSS attack from get_request get_request('cmd','REQUEST',false,null,true) --- lib/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.php b/lib/functions.php index e698f42..1f1e48c 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -675,7 +675,7 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=fal system_message(array( 'title'=>_('Generic Error'), 'body'=>sprintf('%s: Called "%s" without "%s" using "%s"', - basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),preventXSS($attr),preventXSS($type)), + basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST',false,null,true),preventXSS($attr),preventXSS($type)), 'type'=>'error'), 'index.php'); if($preventXSS && !is_null($value)) From 0b10c30c798afcc0a9d3f02ebecd0f3ba2cf0652 Mon Sep 17 00:00:00 2001 From: Genaro Contreras Gutierrez Date: Tue, 30 Jul 2019 08:49:41 -0700 Subject: [PATCH 4/4] other usage of function preventXSS Other example of usage: preventXSS(get_request('cmd','REQUEST')) Additionally, the $ preventXSS parameter of the get_request function can set the default to true and in the specific fields set the parameter to false --- lib/functions.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/functions.php b/lib/functions.php index 1f1e48c..6e223b1 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -683,14 +683,13 @@ function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=fal return $value; } /** -* Prevent XSS function -* +* Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST')) +* Return valor escape XSS. */ function preventXSS($value){ return htmlspecialchars(addslashes($value), ENT_QUOTES, 'UTF-8'); } - * Record a system message. * This function can be used as an alternative to generate a system message, if page hasnt yet been defined. */