From 14a1bb971bcb8b5456c2bf0020c3018907a2704d Mon Sep 17 00:00:00 2001 From: Bozhidar Slaveykov Date: Thu, 10 Feb 2022 11:36:59 +0200 Subject: [PATCH] xss fix on tagging module --- src/MicroweberPackages/Helper/HTMLClean.php | 12 ++++++++++++ userfiles/modules/tags/TaggingTagsManager.php | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/MicroweberPackages/Helper/HTMLClean.php b/src/MicroweberPackages/Helper/HTMLClean.php index 2a20e428ca8..d9cac9b20fd 100644 --- a/src/MicroweberPackages/Helper/HTMLClean.php +++ b/src/MicroweberPackages/Helper/HTMLClean.php @@ -4,6 +4,18 @@ class HTMLClean { + public function cleanArray($array) { + if (is_array($array)) { + + $cleanedArray = []; + foreach ($array as $key=>$value) { + $cleanedArray[$key] = $this->clean($value); + } + + return $cleanedArray; + } + } + public function clean($html) { $antiXss = new \voku\helper\AntiXSS(); diff --git a/userfiles/modules/tags/TaggingTagsManager.php b/userfiles/modules/tags/TaggingTagsManager.php index df86b670225..dd1e191b8fd 100644 --- a/userfiles/modules/tags/TaggingTagsManager.php +++ b/userfiles/modules/tags/TaggingTagsManager.php @@ -66,6 +66,9 @@ function tagging_tag_edit($params) { $newData['id'] = $params['id']; } + $cleanInput = new \MicroweberPackages\Helper\HTMLClean(); + $newData = $cleanInput->cleanArray($newData); + if (isset($params['tagging_tag_id']) && !empty($params['tagging_tag_id'])) { $tagging_tag_id = $params['tagging_tag_id']; $tag = db_get('tagging_tags', [ @@ -105,7 +108,6 @@ function tagging_tag_edit($params) { } } - $tagSaved = db_save('tagging_tags',$newData); if ($tagSaved) {