Escaping the html in the fields of the EstadoDocumento model to avoid…

… XSS attacks. ------ Escapado el html en los campos del modelo EstadoDocumento para evitar ataques XSS.
NeoRazorX · Jun 21, 2022 · 6b03dcc · 6b03dcc
1 parent 8a48aa4
commit 6b03dcc
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 2 deletions.
diff --git a/Core/Model/EstadoDocumento.php b/Core/Model/EstadoDocumento.php
@@ -138,7 +138,13 @@ public static function tableName(): string
 
     public function test(): bool
     {
-        $this->nombre = $this->toolBox()->utils()->noHtml($this->nombre);
+        // escapamos el html
+        $this->generadoc = self::toolBox()::utils()::noHtml($this->generadoc);
+        $this->icon = self::toolBox()::utils()::noHtml($this->icon);
+        $this->nombre = self::toolBox()::utils()::noHtml($this->nombre);
+        $this->tipodoc = self::toolBox()::utils()::noHtml($this->tipodoc);
+
+        // Comprobamos que el nombre no esté vacío
         if (empty($this->nombre) || empty($this->tipodoc)) {
             return false;
         }

diff --git a/Test/Core/Model/EstadoDocumentoTest.php b/Test/Core/Model/EstadoDocumentoTest.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * This file is part of FacturaScripts
- * Copyright (C) 2021 Carlos Garcia Gomez <carlos@facturascripts.com>
+ * Copyright (C) 2021-2022 Carlos Garcia Gomez <carlos@facturascripts.com>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as
@@ -45,6 +45,26 @@ public function testCreateNewStatus()
         $this->assertTrue($status->delete(), 'estado-documento-cant-delete');
     }
 
+    public function testHtmlOnFields()
+    {
+        // creamos un estado con html en los campos
+        $status = new EstadoDocumento();
+        $status->nombre = '<test>';
+        $status->tipodoc = '<test>';
+        $status->generadoc = '<test>';
+        $status->icon = '<test>';
+        $this->assertTrue($status->save(), 'estado-documento-cant-save');
+
+        // comprobamos que el html se ha escapado
+        $this->assertEquals('&lt;test&gt;', $status->nombre, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->tipodoc, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->generadoc, 'estado-documento-html-not-escaped');
+        $this->assertEquals('&lt;test&gt;', $status->icon, 'estado-documento-html-not-escaped');
+
+        // eliminamos
+        $this->assertTrue($status->delete(), 'estado-documento-cant-delete');
+    }
+
     public function testCreateDefaultStatus()
     {
         // get the initial default count