diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 260aeff4..441f1f47 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -36,7 +36,7 @@ class AppController extends Controller { - public $components = ['Util', 'Module', 'Session', 'Cookie', 'Security', 'EyPlugin', 'Lang', 'Theme', 'History', 'Statistics', 'Permissions', 'Update', 'Server']; + public $components = ['Util', 'Module', 'Session', 'Cookie', 'Security', 'EyPlugin', 'Lang', 'Theme', 'History', 'Statistics', 'Permissions', 'Update', 'Server', 'EySecurity']; public $helpers = ['Session']; public $view = 'Theme'; @@ -46,7 +46,10 @@ class AppController extends Controller public function beforeFilter() { - + // find any xss vulnability on request data + $datas = $this->request->data; + $this->request->data = $this->xssProtection($datas); + $this->request->data["xss"] = $datas; // lowercase to avoid errors when the controller is called with uppercase $this->params['controller'] = strtolower($this->params['controller']); $this->params['action'] = strtolower($this->params['action']); @@ -110,6 +113,15 @@ public function beforeFilter() } + public function xssProtection($array) + { + foreach ($array as $key => $value) { + $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value); + } + return $array; + + } + public function __initConfiguration() { // configuration générale diff --git a/app/Controller/ConfigurationController.php b/app/Controller/ConfigurationController.php index f3b8f3a6..0ce3f542 100755 --- a/app/Controller/ConfigurationController.php +++ b/app/Controller/ConfigurationController.php @@ -69,6 +69,8 @@ public function admin_index() ['password_hash' => null] ); + $data['end_layout_code'] = $data['xss']['end_layout_code']; + $this->Configuration->read(null, 1); $this->Configuration->set($data); $this->Configuration->save();