sec(Emails) sanitize email fields

tsolucio · Jun 2, 2023 · b3a7a26 · b3a7a26
1 parent e3dabd7
commit b3a7a26
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/data/CRMEntity.php b/data/CRMEntity.php
@@ -868,6 +868,8 @@ private function insertIntoEntityTable($table_name, $module) {
 							$fldvalue = $adb->query_result($res, 0, 'email1');
 						}
 					}
+				} elseif ($uitype == 13) {
+					$fldvalue = filter_var($this->column_fields[$fieldname], FILTER_SANITIZE_EMAIL);
 				} elseif (($uitype == 72 || $uitype == 7 || $uitype == 9) && !$ajaxSave) {
 					// Some of the currency fields like Unit Price, Total, Sub-total and normal numbers do not need currency conversion during save
 					$fldvalue = CurrencyField::convertToDBFormat($this->column_fields[$fieldname], null, true);

diff --git a/modules/Users/Save.php b/modules/Users/Save.php
@@ -124,6 +124,9 @@
 		coreBOS_Session::set('internal_mailer', $focus->column_fields['internal_mailer']);
 	}
 	setObjectValuesFromRequest($focus);
+	$focus->column_fields['email1'] = filter_var($focus->column_fields['email1'], FILTER_SANITIZE_EMAIL);
+	$focus->column_fields['email2'] = filter_var($focus->column_fields['email2'], FILTER_SANITIZE_EMAIL);
+	$focus->column_fields['secondaryemail'] = filter_var($focus->column_fields['secondaryemail'], FILTER_SANITIZE_EMAIL);
 
 	if (empty($focus->column_fields['roleid']) && !empty($_POST['user_role'])) {
 		$focus->column_fields['roleid'] = $_POST['user_role'];