]> git.mxchange.org Git - friendica.git/commitdiff
Security: Use htmlspecialchars() for user input in Arguments class
authorPhilipp <admin@philipp.info>
Wed, 11 Jan 2023 22:09:40 +0000 (23:09 +0100)
committerPhilipp <admin@philipp.info>
Thu, 12 Jan 2023 19:24:39 +0000 (20:24 +0100)
src/App/Page.php
view/theme/frio/php/default.php

index 3c746ebccbe7d2e8861e5285709727e9634ceb03..a91d400ee88057d99b220f7e5a7f257b7e0c2b95 100644 (file)
@@ -73,6 +73,8 @@ class Page implements ArrayAccess
                'right_aside' => '',
                'template'    => '',
                'title'       => '',
+               'section'     => '',
+               'module'      => '',
        ];
        /**
         * @var string The basepath of the page
@@ -513,6 +515,11 @@ class Page implements ArrayAccess
 
                $page    = $this->page;
 
+               // add and escape some common but crucial content for direct "echo" in HTML (security)
+               $page['title']   = htmlspecialchars($page['title'] ?? '');
+               $page['section'] = htmlspecialchars($args->get(0) ?? 'generic');
+               $page['module']  = htmlspecialchars($args->getModuleName() ?? '');
+
                header("X-Friendica-Version: " . App::VERSION);
                header("Content-type: text/html; charset=utf-8");
 
index 336b52993546461697d1deb4515725370966ed2a..c6092393bdab5989bd93e2ce9785b2e166258f2b 100644 (file)
@@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
 ?>
        </head>
 
-       <body id="top" class="mod-<?php echo DI::args()->getModuleName() . " " . $is_singleuser_class . " " . $view_mode_class;?>">
+       <body id="top" class="mod-<?php echo $page['module'] . " " . $is_singleuser_class . " " . $view_mode_class;?>">
                <a href="#content" class="sr-only sr-only-focusable"><?php echo DI::l10n()->t('Skip to main content'); ?></a>
 <?php
        if (!empty($page['nav']) && !$minimal) {
@@ -125,7 +125,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
 
                                        <div class="col-lg-7 col-md-7 col-sm-12 col-xs-12" id="content">
                                                <section class="sectiontop ';
-                                                       echo DI::args()->get(0, 'generic');
+                                                       echo $page['section'] ?? '';
                                                        echo '-content-wrapper">';
                                                        if (!empty($page['content'])) {
                                                                echo $page['content'];