From 891ed74ea1ce1b1a71bda8e8c07621eb840548a1 Mon Sep 17 00:00:00 2001
From: Carlos Garcia Gomez <neorazorx@gmail.com>
Date: Tue, 10 May 2022 13:16:17 +0200
Subject: [PATCH] =?UTF-8?q?Added=20url=20check=20to=20transport=20agency?=
 =?UTF-8?q?=20model=20web=20field=20to=20prevent=20XSS=20attacks.=20------?=
 =?UTF-8?q?=20A=C3=B1adida=20verificaci=C3=B3n=20de=20url=20al=20campo=20w?=
 =?UTF-8?q?eb=20del=20modelo=20de=20agencia=20de=20transporte=20para=20evi?=
 =?UTF-8?q?tar=20ataques=20XSS.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Core/Model/AgenciaTransporte.php          |  7 +++++++
 Test/Core/Model/AgenciaTransporteTest.php | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/Core/Model/AgenciaTransporte.php b/Core/Model/AgenciaTransporte.php
index e9c46baab1..2fbb3f9a1b 100644
--- a/Core/Model/AgenciaTransporte.php
+++ b/Core/Model/AgenciaTransporte.php
@@ -91,6 +91,13 @@ public function test(): bool
         $this->nombre = $utils->noHtml($this->nombre);
         $this->telefono = $utils->noHtml($this->telefono);
         $this->web = $utils->noHtml($this->web);
+
+        // check if the web is a valid url
+        if (!empty($this->web) && !filter_var($this->web, FILTER_VALIDATE_URL)) {
+            self::toolBox()::i18nLog()->error('invalid-web');
+            return false;
+        }
+
         return parent::test();
     }
 
diff --git a/Test/Core/Model/AgenciaTransporteTest.php b/Test/Core/Model/AgenciaTransporteTest.php
index 85455fdee0..0afbb36c87 100644
--- a/Test/Core/Model/AgenciaTransporteTest.php
+++ b/Test/Core/Model/AgenciaTransporteTest.php
@@ -52,6 +52,25 @@ public function testCreateWithNewCode()
         $this->assertTrue($agency->delete(), 'agency-cant-delete');
     }
 
+    public function testBadWeb()
+    {
+        $agency = new AgenciaTransporte();
+        $agency->codtrans = 'Test';
+        $agency->nombre = 'Test Agency';
+        $agency->web = 'javascript:alert(origin)';
+        $this->assertFalse($agency->save(), 'agency-can-save-bad-web');
+    }
+
+    public function testGoodWeb()
+    {
+        $agency = new AgenciaTransporte();
+        $agency->codtrans = 'Test';
+        $agency->nombre = 'Test Agency';
+        $agency->web = 'https://www.facturascripts.com';
+        $this->assertTrue($agency->save(), 'agency-cant-save-good-web');
+        $this->assertTrue($agency->delete(), 'agency-cant-delete');
+    }
+
     protected function tearDown(): void
     {
         $this->logErrors();