Commit 8a8b21e4 authored by Robert Lyon's avatar Robert Lyon

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit cff11225)
parent 8c81c136
......@@ -185,7 +185,7 @@ class PluginBlocktypeAnnotation extends MaharaCoreBlocktype {
$textreadonly = $totalannotationfeedback[$view->get('id')]->total > 0;
}
$text = $artefact->get('description');
$text = clean_html($artefact->get('description'));
$tags = $artefact->get('tags');
}
catch (ArtefactNotFoundException $e) {
......
......@@ -931,6 +931,17 @@ abstract class ArtefactTypeResumeComposite extends ArtefactTypeResume implements
else {
$record->clipcount = count($attachments);
}
// Clean up description before displaying it
if (isset($record->qualdescription)) {
$record->qualdescription = clean_html($record->qualdescription);
}
else if (isset($record->positiondescription)) {
$record->positiondescription = clean_html($record->positiondescription);
}
else {
$record->description = clean_html($record->description);
}
$datawithattachments[] = $record;
}
......
......@@ -231,7 +231,7 @@ EOF;
'replyto' => ($values['replyto']) ? $values['replyto'] : null,
'private' => (int)(bool)$values['private'],
'postdate' => db_format_timestamp(time()),
'text' => $values['text'],
'text' => clean_html($values['text']),
);
$newid = insert_record('blocktype_wall_post', $record, 'id', true);
......@@ -288,15 +288,13 @@ EOF;
$params = array($instance->get('id'));
if ($records = get_records_sql_array($sql, $params, $nolimit ? '' : 0, $nolimit ? '' : 10)) {
return array_map(
create_function(
'$item',
'$item->displayname = display_name($item);
$item->profileurl = profile_url($item);
$item->deletable = PluginBlocktypeWall::can_delete_wallpost($item->from, ' . intval($owner) .');
return $item;'),
$records
);
return array_map(function($item) {
$item->displayname = display_name($item);
$item->text = clean_html($item->text);
$item->profileurl = profile_url($item);
$item->deletable = PluginBlocktypeWall::can_delete_wallpost($item->from, ' . intval($owner) .');
return $item;
}, $records);
}
return false;
}
......
......@@ -873,7 +873,7 @@ class Framework {
'elements' => array(
'annotation' => array(
'type' => 'html',
'value' => $text,
'value' => clean_html($text),
),
),
);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment