update

microweber · Jul 18, 2022 · d286551 · d286551
1 parent b6d12c8
commit d286551
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/src/MicroweberPackages/App/Http/Controllers/ApiController.php b/src/MicroweberPackages/App/Http/Controllers/ApiController.php
@@ -67,7 +67,7 @@ public function api($api_function = false, $params = false)
 
 
         if (defined('TEMPLATE_DIR')) {
-             app()->template_manager->boot_template();
+            app()->template_manager->boot_template();
         }
 
         //$api_function_full = str_ireplace('api/', '', $api_function_full);
@@ -916,7 +916,7 @@ public function module()
             $mod_iframe = true;
         }
 
-        //$data = $request_data;
+        $data = $request_data;
 
         if (($_POST)) {
             $data = $_POST;
@@ -987,7 +987,7 @@ public function module()
 
             unset($data['ondrop']);
         }
-        // d($data);
+
 
 
         $opts = array();
@@ -1035,7 +1035,10 @@ public function module()
 
         $has_id = false;
         if (isset($data) and is_array($data)) {
+            $data = xss_clean($data);
             foreach ($data as $k => $v) {
+                $k = $this->app->module_manager->format_attr($k);
+
                 if ($k != 'ondrop') {
                     if ($k == 'id') {
                         $has_id = true;
@@ -1045,9 +1048,7 @@ public function module()
                         $v1 = $this->app->format->array_to_base64($v);
                         $tags .= "{$k}=\"$v1\" ";
                     } else {
-                        $v = $this->app->format->clean_html($v);
-
-                        //$v = app()->database_manager->escape_string($v);
+                        $v = $this->app->module_manager->format_attr($v);
 
                         $tags .= "{$k}=\"$v\" ";
                     }
@@ -1193,7 +1194,7 @@ public function editor_tools()
                 }
 
                 $this->return_data = 1;
-                 $page = $this->frontend();
+                $page = $this->frontend();
             } else {
                 $page = $this->app->content_manager->get_by_id($_REQUEST['content_id']);
             }

diff --git a/src/MicroweberPackages/Module/ModuleManager.php b/src/MicroweberPackages/Module/ModuleManager.php
@@ -797,6 +797,23 @@ public function load($module_name, $attrs = array())
 
     }
 
+    public function format_attr($attr_value)
+    {
+        $attr_value = str_replace('"', '&quot;', $attr_value);
+        $attr_value = str_replace("'", '&#39;', $attr_value);
+        $attr_value = str_replace('<', '&lt;', $attr_value);
+        $attr_value = str_replace('>', '&gt;', $attr_value);
+        $attr_value = str_replace('&', '&amp;', $attr_value);
+        $attr_value = str_replace(']', '&#93;', $attr_value);
+        $attr_value = str_replace('[', '&#91;', $attr_value);
+        $attr_value = str_replace('{', '&#123;', $attr_value);
+        $attr_value = str_replace('}',  '&#125;', $attr_value);
+        $attr_value = str_replace('`',   '&#96;', $attr_value);
+        $attr_value = str_replace(';',    '&#59;', $attr_value);
+        return $attr_value;
+    }
+
+
     public function css_class($module_name)
     {
         global $mw_defined_module_classes;