From b3f827ed5ee8b5d78998cbc72d9560e227df6848 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Mon, 18 Oct 2021 11:38:00 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B04367=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/ui.extkeywidget.class.inc.php |   4 +-
 js/utils.js                               |  66 ++++++++++++++
 test/VisualTest/sanitize_test.php         | 105 ++++++++++++++++++++++
 3 files changed, 173 insertions(+), 2 deletions(-)
 create mode 100644 test/VisualTest/sanitize_test.php

diff --git a/application/ui.extkeywidget.class.inc.php b/application/ui.extkeywidget.class.inc.php
index b371d6204..bf918bf72 100644
--- a/application/ui.extkeywidget.class.inc.php
+++ b/application/ui.extkeywidget.class.inc.php
@@ -373,10 +373,10 @@ EOF
 		$sHTML .= "</form>\n";
 		$sHTML .= '</div></div>';
 
-		$sDialogTitle = addslashes($sTitle);
+		$sDialogTitleSanitized = utils::HtmlToText($sTitle);
 		$oPage->add_ready_script(
 <<<EOF
-		$('#ac_dlg_{$this->iId}').dialog({ width: $(window).width()*0.8, height: $(window).height()*0.8, autoOpen: false, modal: true, title: '$sDialogTitle', resizeStop: oACWidget_{$this->iId}.UpdateSizes, close: oACWidget_{$this->iId}.OnClose });
+		$('#ac_dlg_{$this->iId}').dialog({ width: $(window).width()*0.8, height: $(window).height()*0.8, autoOpen: false, modal: true, title: '$sDialogTitleSanitized', resizeStop: oACWidget_{$this->iId}.UpdateSizes, close: oACWidget_{$this->iId}.OnClose });
 		$('#fs_{$this->iId}').bind('submit.uiAutocomplete', oACWidget_{$this->iId}.DoSearchObjects);
 		$('#dc_{$this->iId}').resize(oACWidget_{$this->iId}.UpdateSizes);
 EOF
diff --git a/js/utils.js b/js/utils.js
index 59af2b480..b1d1f9585 100644
--- a/js/utils.js
+++ b/js/utils.js
@@ -739,4 +739,70 @@ Dict.Format = function () {
 	var args = Array.from(arguments);
 	args[0] = Dict.S(arguments[0]);
 	return Format(args);
+}
+
+
+
+/**
+ * Helper to Sanitize string
+ *
+ * Note: Same as in php (see \utils::Sanitize)
+ *
+ * @api
+ * @since 2.6.5 2.7.6 3.0.0 N°4367
+ */
+const CombodoSanitizer = {
+	ENUM_SANITIZATION_FILTER_INTEGER: 'integer',
+	ENUM_SANITIZATION_FILTER_STRING: 'string',
+	ENUM_SANITIZATION_FILTER_CONTEXT_PARAM: 'context_param',
+	ENUM_SANITIZATION_FILTER_PARAMETER: 'parameter',
+	ENUM_SANITIZATION_FILTER_FIELD_NAME: 'field_name',
+	ENUM_SANITIZATION_FILTER_TRANSACTION_ID: 'transaction_id',
+	ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER: 'element_identifier',
+	ENUM_SANITIZATION_FILTER_VARIABLE_NAME: 'variable_name',
+
+	/**
+	 * @param {String} sValue The string to sanitize
+	 * @param {String} sDefaultValue The string to return if sValue not match (used for some filters)
+	 * @param {String} sSanitizationFilter one of the ENUM_SANITIZATION_FILTERs
+	 */
+	Sanitize: function (sValue, sDefaultValue, sSanitizationFilter) {
+		switch (sSanitizationFilter) {
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_INTEGER:
+				return this._CleanString(sValue, sDefaultValue, /[^0-9-+]*/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_STRING:
+				return $("<div>").text(sValue).text();
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_TRANSACTION_ID:
+				return this._ReplaceString(sValue, sDefaultValue, /^([\. A-Za-z0-9_=-]*)$/g, '');
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_PARAMETER:
+				return this._ReplaceString(sValue, sDefaultValue, /^([ A-Za-z0-9_=-]*)$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_FIELD_NAME:
+				return this._ReplaceString(sValue, sDefaultValue, /^[A-Za-z0-9_]+(->[A-Za-z0-9_]+)*$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_CONTEXT_PARAM:
+				return this._ReplaceString(sValue, sDefaultValue, /^[ A-Za-z0-9_=%:+-]*$/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER:
+				return this._CleanString(sValue, sDefaultValue, /[^a-zA-Z0-9_]/g);
+
+			case CombodoSanitizer.ENUM_SANITIZATION_FILTER_VARIABLE_NAME:
+				return this._CleanString(sValue, sDefaultValue, /[^a-zA-Z0-9_]/g);
+
+		}
+		return sDefaultValue;
+	},
+	_CleanString: function (sValue, sDefaultValue, sRegExp) {
+		return sValue.replace(sRegExp, '');
+	},
+	_ReplaceString: function (sValue, sDefaultValue, sRegExp) {
+		if (sRegExp.test(sValue)) {
+			return sValue;
+		} else {
+			return sDefaultValue;
+		}
+	}
 }
\ No newline at end of file
diff --git a/test/VisualTest/sanitize_test.php b/test/VisualTest/sanitize_test.php
new file mode 100644
index 000000000..f1a498392
--- /dev/null
+++ b/test/VisualTest/sanitize_test.php
@@ -0,0 +1,105 @@
+<?php
+/*
+ * @copyright   Copyright (C) 2010-2021 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+require_once '../../approot.inc.php';
+
+require_once(APPROOT.'/application\utils.inc.php');
+$index = 0;
+function testSanitize ($sValue, $sType, &$index ){
+	$sDefaultVal = '!defaultVal!';
+	$sValueEscapedJs = str_replace('"', '\"', $sValue);
+	$sSanitizedValue = utils::Sanitize($sValue, $sDefaultVal, $sType);
+
+	echo <<<HTML
+<tr id="test{$index}">
+	<td>{$sType}</td>
+	<td>{$sValue}</td>
+	<td class="sanitized_php">{$sSanitizedValue}</td>
+	<td class="sanitized_js"></td>
+	<td class="hasDiff"></td>
+</tr>
+<script>
+var parentTr = $("tr#test{$index}"),
+	sanitizedPhp = parentTr.find("td.sanitized_php").text(),
+	sanitizedJs = CombodoSanitizer.Sanitize("{$sValueEscapedJs}","{$sDefaultVal}","{$sType}");
+
+parentTr.find("td.sanitized_js").text(sanitizedJs);
+
+if (sanitizedJs !== sanitizedPhp) {
+	console.error("difference detected !", "{$sValueEscapedJs}", sanitizedPhp, sanitizedJs);
+	parentTr.find("td.hasDiff").text("KO");
+}
+</script>
+HTML;
+
+	$index++;
+}
+
+$aValues = array(
+	"test",
+	"t;e-s_t$",
+	"123test",
+	"\"('èé&=hcb test",
+	"<div>Hello!</div>",
+	"*-+7464+guigez cfuze",
+	"",
+	"()=°²€",
+	"éèç",
+);
+
+$aTypes = array(
+	'context_param',
+	'element_identifier',
+	'field_name',
+	'integer',
+	'parameter',
+	'string',
+	'transaction_id',
+//	'variable_name', // introduced in 3.0.0
+);
+
+?>
+<!DOCTYPE>
+<html>
+<head>
+<script type="text/javascript" src="../../js/jquery-3.3.1.min.js"></script>
+<script type="text/javascript" src="../../js/utils.js"></script>
+<style>
+table, tr, td {
+	padding: 3px 10px;
+	border: 1px solid lightgrey;
+	border-collapse: collapse;
+}
+
+td.hasDiff {
+	color: red;
+}
+
+thead {
+	font-weight: bold;
+}
+</style>
+</head>
+<body>
+<table>
+	<thead>
+	<tr>
+		<td>Type</td>
+		<td>chaine initiale</td>
+		<td>chaine sanitize by php</td>
+		<td>chaine sanitize by js</td>
+		<td> status test</td>
+	</tr>
+	</thead>
+<?php
+
+foreach ($aTypes as $sType) {
+	foreach ($aValues as $sValue) {
+		testSanitize($sValue, $sType, $index);
+	}
+}
+?></table>
+</body>
+</html>