Skip to content

Commit

Permalink
Fixed unescaped messages in JSON responses
Browse files Browse the repository at this point in the history
  • Loading branch information
@mahagr
mahagr committed Nov 3, 2021
1 parent c8a4a11 commit 6463135
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 23 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
@@ -1,3 +1,9 @@
# v1.10.25
## mm/dd/2021

3. [](#bugfix)
* Fixed unescaped messages in JSON responses

# v1.10.24
## 10/26/2021

Expand Down
18 changes: 11 additions & 7 deletions classes/plugin/AdminBaseController.php
View file
Expand Up @@ -271,7 +271,7 @@ public function taskFilesUpload()
$this->admin->json_response = [
'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null),
$filename, 'Bad filename')
htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename')
];

return false;
Expand All @@ -291,7 +291,7 @@ public function taskFilesUpload()
$this->admin->json_response = [
'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_PREVENT_SELF', null),
$settings->destination)
htmlspecialchars($settings->destination, ENT_QUOTES | ENT_HTML5, 'UTF-8'))
];

return false;
Expand All @@ -302,7 +302,8 @@ public function taskFilesUpload()
$this->admin->json_response = [
'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD', null),
$filename, $this->upload_errors[$upload->file->error])
htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'),
$this->upload_errors[$upload->file->error])
];

return false;
Expand Down Expand Up @@ -340,15 +341,15 @@ public function taskFilesUpload()
if ($isMime) {
$match = preg_match('#' . $find . '$#', $mime);
if (!$match) {
$errors[] = 'The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.';
$errors[] = htmlspecialchars('The MIME type "' . $mime . '" for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8');
} else {
$accepted = true;
break;
}
} else {
$match = preg_match('#' . $find . '$#', $filename);
if (!$match) {
$errors[] = 'The File Extension for the file "' . $filename . '" is not an accepted.';
$errors[] = htmlspecialchars('The File Extension for the file "' . $filename . '" is not an accepted.', ENT_QUOTES | ENT_HTML5, 'UTF-8');
} else {
$accepted = true;
break;
Expand Down Expand Up @@ -379,8 +380,11 @@ public function taskFilesUpload()
if (!move_uploaded_file($tmp_file, $tmp)) {
$this->admin->json_response = [
'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null), '',
$tmp)
'message' => sprintf(
$this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_MOVE', null),
'',
htmlspecialchars($tmp, ENT_QUOTES | ENT_HTML5, 'UTF-8')
)
];

return false;
Expand Down
30 changes: 15 additions & 15 deletions classes/plugin/AdminController.php
View file
Expand Up @@ -288,7 +288,7 @@ public function taskRegenerate2FASecret()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
return false;
}

Expand Down Expand Up @@ -407,7 +407,7 @@ protected function taskGetNotifications()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$json_response = ['status' => 'error', 'message' => $e->getMessage()];
$json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
}

$this->sendJsonResponse($json_response);
Expand Down Expand Up @@ -490,7 +490,7 @@ protected function taskGetNewsFeed()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$json_response = ['status' => 'error', 'message' => $e->getMessage()];
$json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];
}

$this->sendJsonResponse($json_response);
Expand Down Expand Up @@ -540,7 +540,7 @@ protected function taskBackup()

$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . $e->getMessage()
'message' => $this->admin::translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

return true;
Expand Down Expand Up @@ -917,7 +917,7 @@ protected function taskGetUpdates()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];

return false;
}
Expand Down Expand Up @@ -961,7 +961,7 @@ protected function taskGetPackagesDependencies()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];

return false;
}
Expand Down Expand Up @@ -1004,7 +1004,7 @@ protected function taskInstallDependenciesOfPackages()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];

return false;
}
Expand Down Expand Up @@ -1059,7 +1059,7 @@ protected function taskInstallPackage($reinstall = false)
$msg = Utils::contains($msg, '401 Unauthorized') ? "ERROR: License key for this resource is invalid." : $msg;
$msg = Utils::contains($msg, '404 Not Found') ? "ERROR: Resource not found" : $msg;

$this->admin->json_response = ['status' => 'error', 'message' => $msg];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($msg, ENT_QUOTES | ENT_HTML5, 'UTF-8')];

return false;
}
Expand Down Expand Up @@ -1133,7 +1133,7 @@ protected function taskRemovePackage(): bool
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$json_response = ['status' => 'error', 'message' => $e->getMessage()];
$json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];

$this->sendJsonResponse($json_response, 200);
}
Expand Down Expand Up @@ -2068,7 +2068,7 @@ protected function taskProcessMarkdown()
$debugger = $this->grav['debugger'];
$debugger->addException($e);

$this->admin->json_response = ['status' => 'error', 'message' => $e->getMessage()];
$this->admin->json_response = ['status' => 'error', 'message' => htmlspecialchars($e->getMessage(), ENT_QUOTES | ENT_HTML5, 'UTF-8')];

return false;
}
Expand Down Expand Up @@ -2225,7 +2225,7 @@ protected function taskAddmedia()
$this->admin->json_response = [
'status' => 'error',
'message' => sprintf($this->admin::translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'),
$filename, 'Bad filename')
htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8'), 'Bad filename')
];

return false;
Expand Down Expand Up @@ -2453,7 +2453,7 @@ protected function taskDelmedia()
if (!$result) {
$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

return false;
Expand All @@ -2474,7 +2474,7 @@ protected function taskDelmedia()
if (!$result) {
$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . $filename
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

return false;
Expand All @@ -2489,7 +2489,7 @@ protected function taskDelmedia()
if (!$found) {
$this->admin->json_response = [
'status' => 'error',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . $filename
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_NOT_FOUND') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

return false;
Expand All @@ -2500,7 +2500,7 @@ protected function taskDelmedia()

$this->admin->json_response = [
'status' => 'success',
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . $filename
'message' => $this->admin::translate('PLUGIN_ADMIN.FILE_DELETED') . ': ' . htmlspecialchars($filename, ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

return true;
Expand Down
2 changes: 1 addition & 1 deletion classes/plugin/Controllers/AbstractController.php
View file
Expand Up @@ -292,7 +292,7 @@ public function createErrorResponse(\Exception $exception): ResponseInterface
$response = [
'code' => $code,
'status' => 'error',
'message' => $message
'message' => htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8')
];

$accept = $this->getAccept(['application/json', 'text/html']);
Expand Down

0 comments on commit 6463135

Please sign in to comment.