fix: HTML Injection in modules/utenti/edit.php

Author: Pek5892

modules/utenti/ajax/select.php

@@ -51,14 +51,14 @@
         $rs = $dbo->fetchArray($query);
         foreach ($rs as $r) {
             if ($prev != $r['optgroup']) {
-                $results[] = ['text' => $r['optgroup'], 'children' => []];
+                $results[] = ['text' => htmlspecialchars($r['optgroup'], ENT_QUOTES, 'UTF-8'), 'children' => []];
                 $prev = $r['optgroup'];
             }
 
             $results[count($results) - 1]['children'][] = [
                 'id' => $r['id'],
-                'text' => $r['descrizione'],
-                'descrizione' => $r['descrizione'],
+                'text' => htmlspecialchars($r['descrizione'], ENT_QUOTES, 'UTF-8'),
+                'descrizione' => htmlspecialchars($r['descrizione'], ENT_QUOTES, 'UTF-8'),
             ];
         }
 
@@ -106,14 +106,14 @@
         $rs = $dbo->fetchArray($query);
         foreach ($rs as $r) {
             if ($prev != $r['optgroup']) {
-                $results[] = ['text' => $r['optgroup'], 'children' => []];
+                $results[] = ['text' => htmlspecialchars($r['optgroup'], ENT_QUOTES, 'UTF-8'), 'children' => []];
                 $prev = $r['optgroup'];
             }
 
             $results[count($results) - 1]['children'][] = [
                 'id' => $r['id'],
-                'text' => $r['descrizione'],
-                'descrizione' => $r['descrizione'],
+                'text' => htmlspecialchars($r['descrizione'], ENT_QUOTES, 'UTF-8'),
+                'descrizione' => htmlspecialchars($r['descrizione'], ENT_QUOTES, 'UTF-8'),
             ];
         }
 

modules/utenti/edit.php

@@ -61,7 +61,7 @@
 		<div class="card-header">
 			<h3 class="card-title">
                 <i class="fa fa-users mr-2"></i>'.tr('Utenti del gruppo: _GROUP_', [
-    '_GROUP_' => '<span class="text-primary">'.$group->getTranslation('title').'</span>',
+    '_GROUP_' => '<span class="text-primary">'.htmlspecialchars($group->getTranslation('title')).'</span>',
 ]).'</h3>
             <div class="card-tools">
                 <a data-card-widget="modal" data-href="'.$structure->fileurl('user.php').'?id_module='.$id_module.'&id_record='.$id_record.'" data-msg="" data-backto="record-edit" data-title="'.tr('Aggiungi utente').'" class="btn btn-sm btn-primary">
@@ -249,7 +249,7 @@
 			<div class="card-header">
 				<h3 class="card-title">
 					<i class="fa fa-lock mr-2"></i>'.tr('Permessi del gruppo: _GROUP_', [
-    '_GROUP_' => '<span class="text-primary">'.$record['nome'].'</span>',
+    '_GROUP_' => '<span class="text-primary">'.htmlspecialchars($record['nome']).'</span>',
 ]).'</h3>'.((empty($record['editable']) && ($record['nome'] != 'Amministratori')) ? '
 				<div class="card-tools">
 					<btn type="button" class="btn clickable btn-sm btn-warning float-right ask" data-msg="<small>'.tr('Verranno reimpostati i permessi di default per il gruppo '.$record['nome']).'.</small>" data-class="btn btn-warning" data-button="'.tr('Reimposta permessi').'" data-op="restore_permission">'.tr('Reimposta permessi').'</btn>

src/AJAX.php

@@ -124,7 +124,7 @@ public static function selectResults($query, $where, $filter = [], $search = [],
         foreach ($rows as $row) {
             $result = $row;
             foreach ($custom as $key => $value) {
-                $result[$key] = $row[$value];
+                $result[$key] = htmlspecialchars($row[$value] ?? '', ENT_QUOTES, 'UTF-8');
             }
 
             $results[] = $result;

src/Modules.php

@@ -312,7 +312,7 @@ public static function getMainMenu($depth = 3)
      */
     public static function link($modulo, $id_record = null, $testo = null, $alternativo = true, $extra = null, $blank = true, $anchor = null, $params = null)
     {
-        $testo = isset($testo) ? nl2br($testo) : '';
+        $testo = isset($testo) ? nl2br(htmlspecialchars($testo, ENT_QUOTES, 'UTF-8')) : '';
         $alternativo = is_bool($alternativo) && $alternativo ? $testo : $alternativo;
 
         // Verifica se il testo contiene un'icona