From 6b03dccf94d93d8753690792adcbca4a5cceb37f Mon Sep 17 00:00:00 2001
From: Carlos Garcia Gomez <neorazorx@gmail.com>
Date: Tue, 21 Jun 2022 11:10:00 +0200
Subject: [PATCH] Escaping the html in the fields of the EstadoDocumento model
 to avoid XSS attacks. ------ Escapado el html en los campos del modelo
 EstadoDocumento para evitar ataques XSS.

---
 Core/Model/EstadoDocumento.php          |  8 +++++++-
 Test/Core/Model/EstadoDocumentoTest.php | 22 +++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/Core/Model/EstadoDocumento.php b/Core/Model/EstadoDocumento.php
index 25e82b5d54..47dd2e5b76 100644
--- a/Core/Model/EstadoDocumento.php
+++ b/Core/Model/EstadoDocumento.php
@@ -138,7 +138,13 @@ public static function tableName(): string
 
     public function test(): bool
     {
-        $this->nombre = $this->toolBox()->utils()->noHtml($this->nombre);
+        // escapamos el html
+        $this->generadoc = self::toolBox()::utils()::noHtml($this->generadoc);
+        $this->icon = self::toolBox()::utils()::noHtml($this->icon);
+        $this->nombre = self::toolBox()::utils()::noHtml($this->nombre);
+        $this->tipodoc = self::toolBox()::utils()::noHtml($this->tipodoc);
+
+        // Comprobamos que el nombre no esté vacío
         if (empty($this->nombre) || empty($this->tipodoc)) {
             return false;
         }
diff --git a/Test/Core/Model/EstadoDocumentoTest.php b/Test/Core/Model/EstadoDocumentoTest.php
index 13e71fb090..48812e08a3 100644
--- a/Test/Core/Model/EstadoDocumentoTest.php
+++ b/Test/Core/Model/EstadoDocumentoTest.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This file is part of FacturaScripts
- * Copyright (C) 2021 Carlos Garcia Gomez <carlos@facturascripts.com>
+ * Copyright (C) 2021-2022 Carlos Garcia Gomez <carlos@facturascripts.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as
@@ -45,6 +45,26 @@ public function testCreateNewStatus()
         $this->assertTrue($status->delete(), 'estado-documento-cant-delete');
     }
 
+    public function testHtmlOnFields()
+    {
+        // creamos un estado con html en los campos
+        $status = new EstadoDocumento();
+        $status->nombre = '<test>';
+        $status->tipodoc = '<test>';
+        $status->generadoc = '<test>';
+        $status->icon = '<test>';
+        $this->assertTrue($status->save(), 'estado-documento-cant-save');
+
+        // comprobamos que el html se ha escapado
+        $this->assertEquals('&lt;test&gt;', $status->nombre, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->tipodoc, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->generadoc, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->icon, 'estado-documento-html-not-escaped');
+
+        // eliminamos
+        $this->assertTrue($status->delete(), 'estado-documento-cant-delete');
+    }
+
     public function testCreateDefaultStatus()
     {
         // get the initial default count