From 49de453c8d4942d09fab230e8f242300c831e2a7 Mon Sep 17 00:00:00 2001
From: CollectiveAccess <seth@collectiveaccess.org>
Date: Sat, 30 Apr 2022 10:25:48 -0400
Subject: [PATCH] Print potential XSS in error message handler

---
 app/controllers/system/ErrorController.php | 2 --
 app/lib/ApplicationError.php               | 4 ++--
 app/lib/Controller/Request/RequestHTTP.php | 5 ++++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/app/controllers/system/ErrorController.php b/app/controllers/system/ErrorController.php
index 00de38abe5..d37c64b339 100644
--- a/app/controllers/system/ErrorController.php
+++ b/app/controllers/system/ErrorController.php
@@ -29,8 +29,6 @@
 require_once(__CA_LIB_DIR__."/ApplicationError.php");
 
 class ErrorController extends ActionController {
-	# -------------------------------------------------------
-	
 	# -------------------------------------------------------
 	function Show() {
 		$o_purify = caGetHTMLPurifier();
diff --git a/app/lib/ApplicationError.php b/app/lib/ApplicationError.php
index 505debc330..629b4a6734 100755
--- a/app/lib/ApplicationError.php
+++ b/app/lib/ApplicationError.php
@@ -175,7 +175,7 @@ public function __construct($pn_error_number=0, $ps_error_description='', $ps_er
  * @return integer Always returns 1
  */		
 	public function setError ($pn_error_number, $ps_error_description='', $ps_error_context='', $ps_error_source='') {
-		$this->opn_error_number = $pn_error_number;
+		$this->opn_error_number = (int)$pn_error_number;
 		$this->ops_error_description = $ps_error_description;
 		$this->ops_error_context = $ps_error_context;
 		$this->ops_error_source = $ps_error_source;
@@ -321,7 +321,7 @@ public function getErrorMessage() {
 		if ($vs_error_message) {
 			return $vs_error_message;
 		} else {
-			return "Unknown error: ".$this->opn_error_number;
+			return "Unknown error: ".(int)$this->opn_error_number;
 		}
 	}
 	
diff --git a/app/lib/Controller/Request/RequestHTTP.php b/app/lib/Controller/Request/RequestHTTP.php
index 0885006099..dc10a4643a 100644
--- a/app/lib/Controller/Request/RequestHTTP.php
+++ b/app/lib/Controller/Request/RequestHTTP.php
@@ -576,12 +576,15 @@ public function getParameter($pa_name, $pn_type, $ps_http_method=null, $pa_optio
 		if (!isset($vm_val)) { return ""; }
 		
 		$vm_val = str_replace("\0", '', $vm_val);
+		
+		$purified = false;
 		if((caGetOption('purify', $pa_options, true) && $this->config->get('purify_all_text_input')) || caGetOption('forcePurify', $pa_options, false)) {
 		    if(is_array($vm_val)) {
 		        $vm_val = array_map(function($v) { return is_array($v) ? $v : str_replace("&amp;", "&", RequestHTTP::getPurifier()->purify(rawurldecode($v))); }, $vm_val);
 		    } else {
 		        $vm_val = str_replace("&amp;", "&", RequestHTTP::getPurifier()->purify(rawurldecode($vm_val)));
 		    }
+		    $purified = true;
 		}
 		
 		if ($vm_val == "") { return ($pn_type == pArray) ? [] : ''; }
@@ -607,7 +610,7 @@ public function getParameter($pa_name, $pn_type, $ps_http_method=null, $pa_optio
 					if(caGetOption('retainBackslashes', $pa_options, true)) {
 						$vm_val = str_replace("\\", "\\\\", $vm_val);	// retain backslashes for some strange people desire them as valid input
 					}
-					if(caGetOption('urldecode', $pa_options, true)) {
+					if(!$purified && caGetOption('urldecode', $pa_options, true)) {
 						$vm_val = rawurldecode($vm_val);
 					}
 					return $vm_val;