From acf948676b689e13d28bef27ff7d7d1fa175cb0c Mon Sep 17 00:00:00 2001 From: John Spellman Date: Fri, 5 May 2023 13:23:47 -0600 Subject: [PATCH] Pass table values through our santization functions --- php/pantheon/utils.php | 20 ++++++++++++++++++-- php/pantheon/views/table.php | 8 ++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/php/pantheon/utils.php b/php/pantheon/utils.php index a987d40..b80675b 100644 --- a/php/pantheon/utils.php +++ b/php/pantheon/utils.php @@ -3,7 +3,6 @@ use \Symfony\Component\Filesystem\Filesystem; use \Symfony\Component\Finder\Finder; -use \Pantheon\Utils as Pantheon; class Utils { static $fs; @@ -60,8 +59,25 @@ public static function sanitize_data($data, $sanitizer_function = 'htmlspecialch array_map('self::sanitize_data', array_values((array)$data)) ); return is_object( $data ) ? (object)$sanitized_data : $sanitized_data; - } elseif ( is_integer($data) ) { + } elseif ( is_integer( $data ) ) { return (string)$data; + } elseif ( is_string( $data ) ) { + $dom = new \DOMDocument; + $dom->loadHTML( $data ); + $anchors = $dom->getElementsByTagName('a'); + + // Bail if our string does not only contain an anchor tag. + if ( 0 === $anchors->length ) {; + return $sanitizer_function($data); + } + + $href = $anchors[0]->getAttribute('href'); + $sanitized_href = call_user_func($sanitizer_function, $href); + $sanitized_link_text = call_user_func($sanitizer_function, $anchors[0]->textContent); + + // Rebuild anchor tags to ensure there are no injected attributes. + $rebuilt_link = '' . $sanitized_link_text . ''; + return $rebuilt_link; } return $sanitizer_function($data); diff --git a/php/pantheon/views/table.php b/php/pantheon/views/table.php index 2630751..6197fab 100644 --- a/php/pantheon/views/table.php +++ b/php/pantheon/views/table.php @@ -1,9 +1,13 @@ + + - + @@ -12,7 +16,7 @@ - +