Security: Use htmlspecialchars() for user input in Arguments class

author Philipp <admin@philipp.info>

Wed, 11 Jan 2023 22:09:40 +0000 (23:09 +0100)

committer Hypolite Petovan <hypolite@mrpetovan.com>

Fri, 13 Jan 2023 14:23:16 +0000 (09:23 -0500)
author Philipp <admin@philipp.info>
Wed, 11 Jan 2023 22:09:40 +0000 (23:09 +0100)
committer Hypolite Petovan <hypolite@mrpetovan.com>
Fri, 13 Jan 2023 14:23:16 +0000 (09:23 -0500)
diff --git a/src/App/Page.php b/src/App/Page.php

index 37141426c36a269f05c65564d515e10229ed2297..6317214b4fdb08a48fd798e6f4bded15341755d5 100644 (file)
--- a/src/App/Page.php
+++ b/src/App/Page.php
@@ -73,6 +73,8 @@ class Page implements ArrayAccess
                 'right_aside' => '',
                 'template'    => '',
                 'title'       => '',
+               'section'     => '',
+               'module'      => '',
         ];
         /**
          * @var string The basepath of the page
@@ -509,6 +511,11 @@ class Page implements ArrayAccess
  
                 $page    = $this->page;
  
+               // add and escape some common but crucial content for direct "echo" in HTML (security)
+               $page['title']   = htmlspecialchars($page['title'] ?? '');
+               $page['section'] = htmlspecialchars($args->get(0) ?? 'generic');
+               $page['module']  = htmlspecialchars($args->getModuleName() ?? '');
+
                 header("X-Friendica-Version: " . App::VERSION);
                 header("Content-type: text/html; charset=utf-8");
  
diff --git a/view/theme/frio/php/default.php b/view/theme/frio/php/default.php

index d0580373e0b16ff211030d1983796bcfc2c6bec5..0c6dd3934f64fdabe3a4b01ddae0e41258c9d951 100644 (file)
--- a/view/theme/frio/php/default.php
+++ b/view/theme/frio/php/default.php
@@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
  ?>
         </head>
  
-       <body id="top" class="mod-<?php echo DI::args()->getModuleName() . " " . $is_singleuser_class . " " . $view_mode_class;?>">
+       <body id="top" class="mod-<?php echo $page['module'] . " " . $is_singleuser_class . " " . $view_mode_class;?>">
                 <a href="#content" class="sr-only sr-only-focusable"><?php echo DI::l10n()->t('Skip to main content'); ?></a>
  <?php
         if (!empty($page['nav']) && !$minimal) {
@@ -125,7 +125,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
  
                                         <div class="col-lg-7 col-md-7 col-sm-12 col-xs-12" id="content">
                                                 <section class="sectiontop ';
-                                                       echo DI::args()->get(0, 'generic');
+                                                       echo $page['section'] ?? '';
                                                         echo '-content-wrapper">';
                                                         if (!empty($page['content'])) {
                                                                 echo $page['content'];
author	Philipp <admin@philipp.info>
	Wed, 11 Jan 2023 22:09:40 +0000 (23:09 +0100)
committer	Hypolite Petovan <hypolite@mrpetovan.com>
	Fri, 13 Jan 2023 14:23:16 +0000 (09:23 -0500)
src/App/Page.php		patch \| blob \| history
view/theme/frio/php/default.php		patch \| blob \| history