Modified the AttachedFile model to always escape the html to avoid XS…

…S attacks using the file name. Also added a unit test to prevent regressions.

------
Modificado el modelo AttachedFile para escapar siempre el html y evitar así ataques XSS usando el nombre del archivo. Añadido también un test unitario para prevenir regresiones.

Core/Model/AttachedFile.php

@@ -155,6 +155,9 @@ public function test(): bool
             return $this->setFile() && parent::test();
         }
 
+        $this->filename = self::toolBox()::utils()::noHtml($this->filename);
+        $this->mimetype = self::toolBox()::utils()::noHtml($this->mimetype);
+        $this->path = self::toolBox()::utils()::noHtml($this->path);
         return parent::test();
     }
 

Test/Core/Model/AttachedFileTest.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * This file is part of FacturaScripts
+ * Copyright (C) 2022 Carlos Garcia Gomez <carlos@facturascripts.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace FacturaScripts\Test\Core\Model;
+
+use FacturaScripts\Core\Base\ToolBox;
+use FacturaScripts\Core\Model\AttachedFile;
+use PHPUnit\Framework\TestCase;
+
+final class AttachedFileTest extends TestCase
+{
+    public function testSaveFile()
+    {
+        $name = 'xss"\'><img src=x onerror=alert(123)>.jpeg';
+        $filePath = FS_FOLDER . '/Test/__files/' . $name;
+        $this->assertTrue(file_exists($filePath), 'File not found: ' . $filePath);
+
+        // copiamos el archivo a MyFiles
+        $this->assertTrue(copy($filePath, FS_FOLDER . '/MyFiles/' . $name), 'File not copied');
+
+        $model = new AttachedFile();
+        $model->path = $name;
+        $this->assertTrue($model->save(), 'can-not-save-file');
+
+        // filename no puede contener html
+        $fileNameNoHtml = ToolBox::utils()::noHtml($name);
+        $this->assertEquals($fileNameNoHtml, $model->filename);
+
+        // si forzamos el html en el filename, debe quitar el html
+        $model->filename = $name;
+        $this->assertTrue($model->save(), 'can-not-update-file');
+        $this->assertEquals($fileNameNoHtml, $model->filename);
+
+        // podemos eliminar
+        $this->assertTrue($model->delete(), 'can-not-delete-file');
+
+        // el archivo ya no está en el path
+        $this->assertFalse(file_exists($model->path));
+    }
+}