From 7301abade7d0b7066b717def4f064256c6420935 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Lira?= <joserobertolira@gmail.com>
Date: Mon, 7 Oct 2024 16:59:07 -0300
Subject: [PATCH] fix: "Mitigated XXE vulnerability in contact.php"

---
 .../a5/vinijr-blog/app/contact.php            | 28 ++++++++++++++-----
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/owasp-top10-2021-apps/a5/vinijr-blog/app/contact.php b/owasp-top10-2021-apps/a5/vinijr-blog/app/contact.php
index a501a26c0..209cf3fa4 100644
--- a/owasp-top10-2021-apps/a5/vinijr-blog/app/contact.php
+++ b/owasp-top10-2021-apps/a5/vinijr-blog/app/contact.php
@@ -1,12 +1,26 @@
 <?php
+libxml_disable_entity_loader(true);
+
 $xmlfile = file_get_contents('php://input');
+
 $dom = new DOMDocument();
-$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
+
+$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NOERROR | LIBXML_NOWARNING);
+
 $contact = simplexml_import_dom($dom);
-$name = $contact->name;
-$email = $contact->email;
-$subject = $contact->subject;
-$message = $contact->message;
 
-echo "Thanks for the message, $name !";
-?>
+if (isset($contact->name) && isset($contact->email) && isset($contact->subject) && isset($contact->message)) {
+    $name    = htmlspecialchars($contact->name, ENT_QUOTES, 'UTF-8');
+    $email   = filter_var($contact->email, FILTER_VALIDATE_EMAIL);
+    $subject = htmlspecialchars($contact->subject, ENT_QUOTES, 'UTF-8');
+    $message = htmlspecialchars($contact->message, ENT_QUOTES, 'UTF-8');
+
+    if ($email !== false) {
+        echo "Thanks for the message, $name!";
+    } else {
+        echo "Invalid email address!";
+    }
+} else {
+    echo "Invalid XML format!";
+}
+