Fixes #1220 XSS vulnerability is addressed

d4f4e4cd · Uma · 55b20f00 · d4f4e4cd · d4f4e4cd · d4f4e4cd
Commit d4f4e4cd authored 5 years ago by Uma
--- a/modules/Users/actions/SaveAjax.php
+++ b/modules/Users/actions/SaveAjax.php
@@ -104,6 +104,13 @@ class Users_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 				$recordModel->set($fieldName,$existingRecordModel->get($fieldName));
 			}
 		}
+        if($fieldName == 'signature'){
+            $fieldValue = $request->getRaw($fieldName);
+            $purifiedContent = vtlib_purify(decode_html($fieldValue));
+            // Purify malicious html event attributes
+            $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+            $recordModel->set($fieldName,$fieldValue);
+        }
 		return $recordModel;
 	}


--- a/modules/Vtiger/actions/SaveAjax.php
+++ b/modules/Vtiger/actions/SaveAjax.php
@@ -106,6 +106,12 @@ class Vtiger_SaveAjax_Action extends Vtiger_Save_Action {
 				if ($fieldDataType == 'time' && $fieldValue !== null) {
 					$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 				}
+                if($fieldName == 'notecontent' && $fieldValue !== null){
+                    $fieldValue = $request->getRaw($fieldName);
+                    $purifiedContent = vtlib_purify(decode_html($fieldValue));
+                    // Purify malicious html event attributes
+                    $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+                }
 				if ($fieldValue !== null) {
 					if (!is_array($fieldValue)) {
 						$fieldValue = trim($fieldValue);

--- a/packages/vtiger/optional/ModComments.zip
+++ b/packages/vtiger/optional/ModComments.zip
--- a/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
+++ b/pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php
@@ -74,7 +74,11 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	public function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
 		
-		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
+        $commentContent = $request->getRaw('commentcontent');
+        $purifiedContent = vtlib_purify(decode_html($commentContent));
+        // Purify malicious html event attributes
+        $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
+		$recordModel->set('commentcontent', $fieldValue);
        $recordModel->set('is_private', $request->get('is_private'));

 		return $recordModel;