Merge pull request philippK-de#120 from mdwheele/security/userprofile…

…-xss Mitigate XSS attack on user profile page
tshoper · Oct 18, 2016 · a9e2427 · a9e2427
2 parents 18d814e + 381ce1f
commit a9e2427
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/include/initfunctions.php b/include/initfunctions.php
@@ -207,6 +207,14 @@ function getArrayVal(array $array, $name)
     }
 }
 
+function purify($dirty)
+{
+    $config = HTMLPurifier_Config::createDefault();
+    $config->set('Cache.SerializerPath', CL_ROOT . "/files/standard/ics");
+    $purifier = new HTMLPurifier($config);
+    return $purifier->purify($dirty);
+}
+
 function cleanArray(array $theArray)
 {
     $outArray = array();

diff --git a/manageuser.php b/manageuser.php
@@ -208,6 +208,11 @@
     $template->assign("title", $title);
     $template->assign("user", $profile);
 
+    // This is done specifically to address an XSS vulnerability
+    // caused by rendering two user inputs on same line in HTML.
+    // They must be escaped together and rendered as one.
+    $template->assign("zipcity", purify(implode(' ', [$profile['zip'], $profile['adress2']])));
+
     $template->display("userprofile.tpl");
 } elseif ($action == "showproject") {
     if (!chkproject($userid, $id)) {

diff --git a/templates/standard/userprofile.tpl b/templates/standard/userprofile.tpl
@@ -103,7 +103,7 @@
                                             <tbody class="color-b">
                                             <tr>
                                                 <td><strong>{#zip#} / {#city#}:</strong></td>
-                                                <td class="right">{$user.zip}{if $user.zip && $user.adress2} {/if}{$user.adress2} </td>
+                                                <td class="right">{$zipcity} </td>
                                             </tr>
                                             </tbody>