From 3c416136588039109ccecb0cf7fc46abec56a310 Mon Sep 17 00:00:00 2001
From: prasad <prasad@vtiger.com>
Date: Thu, 12 Apr 2018 19:47:10 +0530
Subject: [PATCH] Server-side cleanup of request vars in calendar

---
 include/utils/VtlibUtils.php      |  2 +-
 modules/Calendar/actions/Feed.php | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 9860d5618..30d15bca8 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -731,7 +731,7 @@ function purifyHtmlEventAttributes($value){
  * @return <String> $string/false
  */
 function vtlib_purifyForSql($string, $skipEmpty=true) {
-	$pattern = "/^[_a-zA-Z0-9.]+$/";
+	$pattern = "/^[_a-zA-Z0-9.:\-]+$/";
 	if ((empty($string) && $skipEmpty) || preg_match($pattern, $string)) {
 		return $string;
 	}
diff --git a/modules/Calendar/actions/Feed.php b/modules/Calendar/actions/Feed.php
index 844528165..91044cd13 100644
--- a/modules/Calendar/actions/Feed.php
+++ b/modules/Calendar/actions/Feed.php
@@ -53,6 +53,11 @@ class Calendar_Feed_Action extends Vtiger_BasicAjax_Action {
 
 	public function _process($request) {
 		try {
+			foreach ($request as $k => $v) {
+				if ($k == 'conditions' || $k == 'mapping') continue;
+				$request[$k] = $this->valForSql($v);
+			}
+
 			$start = $request['start'];
 			$end = $request['end'];
 			$type = $request['type'];
@@ -87,6 +92,10 @@ class Calendar_Feed_Action extends Vtiger_BasicAjax_Action {
 		}
 	}
 
+	private function valForSql($value) {
+		return Vtiger_Util_Helper::validateStringForSql($value);
+	}
+
 	protected function pullDetails($start, $end, &$result, $type, $fieldName, $color = null, $textColor = 'white', $conditions = '') {
 		$moduleModel = Vtiger_Module_Model::getInstance($type);
 		$nameFields = $moduleModel->getNameFields();
@@ -216,7 +225,7 @@ class Calendar_Feed_Action extends Vtiger_BasicAjax_Action {
 		}
 
 		if(!empty($operator) && !empty($conditions['fieldname']) && !empty($conditions['value'])) {
-			$conditionQuery = ' '.$conditions['fieldname'].$operator.'\'' .$conditions['value'].'\' ';
+			$conditionQuery = ' '.$conditions['fieldname'].$operator.'\'' .Vtiger_Functions::realEscapeString($conditions['value']).'\' ';
 		}
 		return $conditionQuery;
 	}
@@ -423,4 +432,4 @@ class Calendar_Feed_Action extends Vtiger_BasicAjax_Action {
 		}
 	}
 
-}
\ No newline at end of file
+}
-- 
GitLab