composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-26 05:44:12 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
43fc6f8d4e4869c8dcc4828daec61d0aab8dc86f
iTop/sources/Application/Helper/ExportHelper.php
Stephen Abello 43fc6f8d4e Remove space character from potential attack vectors
2026-02-25 11:58:44 +01:00

108 lines
3.3 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<?php
namespace Combodo\iTop\Application\Helper;
use Combodo\iTop\Application\UI\Base\Component\Alert\AlertUIBlockFactory;
use Combodo\iTop\Application\UI\Base\Component\Input\InputUIBlockFactory;
use Combodo\iTop\Application\UI\Base\Component\Input\InputWithLabel;
use Combodo\iTop\Application\UI\Base\UIBlock;
use Dict;
use utils;
/**
* Class
* ExportHelper
*
* @internal
* @author Stephen Abello <stephen.abello@combodo.com>
* @since 2.7.9 3.0.4 3.1.1 3.2.0
* @package Combodo\iTop\Application\Helper
*/
class ExportHelper
{
public const EXCEL_FORMULA_CHARACTERS = ['=', '', '+', '', '-', '', '@', '', '|', "\t", "\n", "\r"];
public static function GetAlertForExcelMaliciousInjection()
{
$sWikiUrl = 'https://www.itophub.io/wiki/page?id='.utils::GetItopVersionWikiSyntax().'%3Auser%3Alists#excel_export';
$oAlert = AlertUIBlockFactory::MakeForWarning(Dict::S('UI:Bulk:Export:MaliciousInjection:Alert:Title'), Dict::Format('UI:Bulk:Export:MaliciousInjection:Alert:Message', $sWikiUrl), 'ibo-sanitize-excel-export--alert');
$oAlert->EnableSaveCollapsibleState(true)
->SetIsClosable(false);
return $oAlert;
}
/**
* @return InputWithLabel
*
* @since 3.2.3
*/
public static function GetInputForSanitizeExcelExport(): UIBlock
{
$oSanitizeInput = InputUIBlockFactory::MakeForInputWithLabel(Dict::S('UI:Bulk:Export:MaliciousInjection:Input:Label'), 'sanitize_excel_export', 1, 'ibo-sanitize-excel-export--input', 'checkbox');
$oSanitizeInput->GetInput()->SetIsChecked(true);
$oSanitizeInput->SetBeforeInput(false);
$oSanitizeInput->SetDescription(Dict::S('UI:Bulk:Export:MaliciousInjection:Input:Tooltip'));
$oSanitizeInput->GetInput()->AddCSSClass('ibo-input-checkbox');
return $oSanitizeInput;
}
/**
* @param string $sValue
* @return bool
*
* @since 3.2.3
*/
public static function IsValueFormulaCandidate(string $sValue): bool
{
// An empty value cannot be a formula, so we can skip all the checks in this case
if ($sValue === '') {
return false;
}
$bHasFormulaCandidate = false;
$sFirstChar = mb_substr($sValue, 0, 1);
$bHasFormulaCandidate |= in_array($sFirstChar, static::EXCEL_FORMULA_CHARACTERS, true);
// If the string is less than 3 characters long, it cannot start with a url encoded formula character, so we can skip this check in this case
if (mb_strlen($sValue) < 3) {
return $bHasFormulaCandidate;
}
// Additionally, check if the first three character could be a formula character url encodeded
$sFirstThreeChars = mb_strtoupper(mb_substr($sValue, 0, 3));
$aUrlEncodedFormulaCharacters = array_map('urlencode', static::EXCEL_FORMULA_CHARACTERS);
$bHasFormulaCandidate |= in_array($sFirstThreeChars, $aUrlEncodedFormulaCharacters, true);
return $bHasFormulaCandidate;
}
/**
* @param string $sField
* @param string $sTextQualifier
* @return string
*
* @since 3.2.3
*/
public static function SanitizeField(string $sField, string $sTextQualifier = ''): string
{
if ($sField === '') {
return $sField;
}
$sQualifier = $sTextQualifier;
if ($sQualifier !== '' && str_starts_with($sField, $sQualifier)) {
$sAfterQualifier = substr($sField, strlen($sQualifier));
if (self::IsValueFormulaCandidate($sAfterQualifier)) {
return $sQualifier."'".$sAfterQualifier;
}
} elseif (self::IsValueFormulaCandidate($sField)) {
return "'".$sField;
}
return $sField;
}
}
Reference in New Issue View Git Blame Copy Permalink