From 659e328c06a127249e651100d2bc7ec1d2dd8533 Mon Sep 17 00:00:00 2001 From: joebordes Date: Fri, 2 Jun 2023 18:46:09 +0200 Subject: [PATCH] sec(Users) sanitize email and name --- modules/Users/DetailViewAjax.php | 5 +++++ modules/Users/Save.php | 2 ++ 2 files changed, 7 insertions(+) diff --git a/modules/Users/DetailViewAjax.php b/modules/Users/DetailViewAjax.php index f8de535fbb..a041d0ffdd 100644 --- a/modules/Users/DetailViewAjax.php +++ b/modules/Users/DetailViewAjax.php @@ -58,6 +58,11 @@ $_REQUEST[$widget] = $visible; } $_REQUEST['tagcloudview'] = $homeStuffOrder['Tag Cloud']; + $userObj->column_fields['first_name'] = vtlib_purify($userObj->column_fields['first_name']); + $userObj->column_fields['last_name'] = vtlib_purify($userObj->column_fields['last_name']); + $userObj->column_fields['email1'] = filter_var($userObj->column_fields['email1'], FILTER_SANITIZE_EMAIL); + $userObj->column_fields['email2'] = filter_var($userObj->column_fields['email2'], FILTER_SANITIZE_EMAIL); + $userObj->column_fields['secondaryemail'] = filter_var($userObj->column_fields['secondaryemail'], FILTER_SANITIZE_EMAIL); $userObj->save('Users'); if ($userObj->id != '') { echo ':#:SUCCESS:#:'; diff --git a/modules/Users/Save.php b/modules/Users/Save.php index 19ef890c75..323c7fb5de 100644 --- a/modules/Users/Save.php +++ b/modules/Users/Save.php @@ -124,6 +124,8 @@ coreBOS_Session::set('internal_mailer', $focus->column_fields['internal_mailer']); } setObjectValuesFromRequest($focus); + $focus->column_fields['first_name'] = vtlib_purify($focus->column_fields['first_name']); + $focus->column_fields['last_name'] = vtlib_purify($focus->column_fields['last_name']); $focus->column_fields['email1'] = filter_var($focus->column_fields['email1'], FILTER_SANITIZE_EMAIL); $focus->column_fields['email2'] = filter_var($focus->column_fields['email2'], FILTER_SANITIZE_EMAIL); $focus->column_fields['secondaryemail'] = filter_var($focus->column_fields['secondaryemail'], FILTER_SANITIZE_EMAIL);