Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Added url check to transport agency model web field to prevent XSS at…
…tacks.

------
Añadida verificación de url al campo web del modelo de agencia de transporte para evitar ataques XSS.
  • Loading branch information
NeoRazorX committed May 10, 2022
1 parent cc8db28 commit 891ed74
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
7 changes: 7 additions & 0 deletions Core/Model/AgenciaTransporte.php
Expand Up @@ -91,6 +91,13 @@ public function test(): bool
$this->nombre = $utils->noHtml($this->nombre);
$this->telefono = $utils->noHtml($this->telefono);
$this->web = $utils->noHtml($this->web);

// check if the web is a valid url
if (!empty($this->web) && !filter_var($this->web, FILTER_VALIDATE_URL)) {
self::toolBox()::i18nLog()->error('invalid-web');
return false;
}

return parent::test();
}

Expand Down
19 changes: 19 additions & 0 deletions Test/Core/Model/AgenciaTransporteTest.php
Expand Up @@ -52,6 +52,25 @@ public function testCreateWithNewCode()
$this->assertTrue($agency->delete(), 'agency-cant-delete');
}

public function testBadWeb()
{
$agency = new AgenciaTransporte();
$agency->codtrans = 'Test';
$agency->nombre = 'Test Agency';
$agency->web = 'javascript:alert(origin)';
$this->assertFalse($agency->save(), 'agency-can-save-bad-web');
}

public function testGoodWeb()
{
$agency = new AgenciaTransporte();
$agency->codtrans = 'Test';
$agency->nombre = 'Test Agency';
$agency->web = 'https://www.facturascripts.com';
$this->assertTrue($agency->save(), 'agency-cant-save-good-web');
$this->assertTrue($agency->delete(), 'agency-cant-delete');
}

protected function tearDown(): void
{
$this->logErrors();
Expand Down

0 comments on commit 891ed74

Please sign in to comment.