From be7e1cf5e3adf4d3aa35656f28353eb430c269af Mon Sep 17 00:00:00 2001 From: gtbu Date: Wed, 19 Mar 2025 22:09:10 +0100 Subject: [PATCH] update Text.php --- include/admin/Layout/Text.php | 45 ++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/include/admin/Layout/Text.php b/include/admin/Layout/Text.php index 7d8ceba..8d29042 100644 --- a/include/admin/Layout/Text.php +++ b/include/admin/Layout/Text.php @@ -37,7 +37,7 @@ class Text extends \gp\admin\Layout{ echo '
'; echo '
'; echo ''; - echo ''; //will be populated by javascript + echo ''; //will be populated by javascript $this->AddonTextFields($texts); @@ -58,7 +58,7 @@ class Text extends \gp\admin\Layout{ echo ''; echo ''; - $key =& $_GET['key']; + $key = isset($_GET['key']) ? $this->sanitizeKey($_GET['key']) : ''; // Sanitize first foreach($array as $text){ $value = $text; @@ -75,9 +75,9 @@ class Text extends \gp\admin\Layout{ } echo ''; - echo $text; + echo htmlspecialchars($text, ENT_QUOTES); echo ''; - echo ''; + echo ''; //value has already been escaped with htmlspecialchars() echo ''; @@ -94,14 +94,14 @@ class Text extends \gp\admin\Layout{ return; } - $key = $_GET['key']; - $default = isset($langmessage[$key]) ? $langmessage[$key] : htmlspecialchars($key); - $value = isset($config['customlang'][$key]) ? $config['customlang'][$key] : htmlspecialchars($key); + $key = $this->sanitizeKey($_GET['key']); // Sanitize input + $default = isset($langmessage[$key]) ? $langmessage[$key] : htmlspecialchars($key, ENT_QUOTES); + $value = isset($config['customlang'][$key]) ? $config['customlang'][$key] : htmlspecialchars($key, ENT_QUOTES); echo '
'; echo ''; echo ''; - echo ''; + echo ''; echo ''; echo ''; echo ''; echo '
'; @@ -110,10 +110,10 @@ class Text extends \gp\admin\Layout{ echo $langmessage['edit']; echo '
'; - echo $default; + echo htmlspecialchars($default, ENT_QUOTES); echo ''; //$value is already escaped using htmlspecialchars() - echo ''; + echo ''; echo '
'; echo '

'; @@ -139,13 +139,14 @@ class Text extends \gp\admin\Layout{ return; } - $default = $key = $_POST['key']; + $key = $this->sanitizeKey($_POST['key']); + $default = $key; if( isset($langmessage[$key]) ){ $default = $langmessage[$key]; } - $config['customlang'][$key] = $value = htmlspecialchars($_POST['value']); - if( ($value === $default) || (htmlspecialchars($default) == $value) ){ + $config['customlang'][$key] = $value = htmlspecialchars($_POST['value'], ENT_QUOTES); + if( ($value === $default) || (htmlspecialchars($default, ENT_QUOTES) == $value) ){ unset($config['customlang'][$key]); } @@ -170,15 +171,15 @@ class Text extends \gp\admin\Layout{ continue; } - + $text = $this->sanitizeKey($text); // Sanitize text key as well $default = $text; if( isset($langmessage[$text]) ){ $default = $langmessage[$text]; } - $value = htmlspecialchars($_POST['values'][$text]); + $value = htmlspecialchars($_POST['values'][$text], ENT_QUOTES); - if( ($value === $default) || (htmlspecialchars($default) == $value) ){ + if( ($value === $default) || (htmlspecialchars($default, ENT_QUOTES) == $value) ){ unset($config['customlang'][$text]); }else{ $config['customlang'][$text] = $value; @@ -236,4 +237,14 @@ class Text extends \gp\admin\Layout{ return $texts; } -} + /** + * Sanitize the key parameter. Allow only alphanumeric characters, underscores, and hyphens. + * + * @param string $key The key to sanitize. + * @return string The sanitized key. + */ + private function sanitizeKey(string $key): string + { + return preg_replace('/[^a-zA-Z0-9_\-]/', '', $key); + } +} \ No newline at end of file