Merge branch 'xss_vulnerability_on_ckeditor' into 'master'

Fixes #1220 XSS vulnerability is addressed

See merge request !510

include/utils/ListViewUtils.php

@@ -675,9 +675,9 @@ function decode_html($str) {
 	global $default_charset;
 	// Direct Popup action or Ajax Popup action should be treated the same.
 	if ((isset($_REQUEST['action']) && $_REQUEST['action'] == 'Popup') || (isset($_REQUEST['file']) && $_REQUEST['file'] == 'Popup'))
-		return html_entity_decode($str);
+		return purifyHtmlEventAttributes(html_entity_decode($str));
 	else
-		return html_entity_decode($str, ENT_QUOTES, $default_charset);
+		return purifyHtmlEventAttributes(html_entity_decode($str, ENT_QUOTES, $default_charset));
 }
 
 function popup_decode_html($str) {

modules/Emails/views/MassSaveAjax.php

@@ -134,7 +134,7 @@ class Emails_MassSaveAjax_View extends Vtiger_Footer_View {
 		$content = $request->getRaw('description');
 		$processedContent = Emails_Mailer_Model::getProcessedContent($content); // To remove script tags
 		$mailerInstance = Emails_Mailer_Model::getInstance();
-		$processedContentWithURLS = $mailerInstance->convertToValidURL($processedContent);
+		$processedContentWithURLS = decode_html($mailerInstance->convertToValidURL($processedContent));
 		$recordModel->set('description', $processedContentWithURLS);
 		$recordModel->set('subject', $request->get('subject'));
 		$recordModel->set('toMailNamesList',$request->get('toMailNamesList'));

modules/Users/actions/Save.php

@@ -76,12 +76,6 @@ class Users_Save_Action extends Vtiger_Save_Action {
 			if ($fieldName == 'roleid' && !($currentUserModel->isAdminUser())) {
 				$fieldValue = null;
 			}
-            if($fieldName == 'signature' && $fieldValue !== null){
-                $fieldValue = $request->getRaw($fieldName);
-                $purifiedContent = vtlib_purify(decode_html($fieldValue));
-                // Purify malicious html event attributes
-                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
-			}
 
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue)) {

modules/Vtiger/actions/Save.php

@@ -160,12 +160,6 @@ class Vtiger_Save_Action extends Vtiger_Action_Controller {
 			if($fieldDataType == 'time' && $fieldValue !== null){
 				$fieldValue = Vtiger_Time_UIType::getTimeValueWithSeconds($fieldValue);
 			}
-            if($fieldName == 'notecontent' && $fieldValue !== null){
-                $fieldValue = $request->getRaw($fieldName);
-                $purifiedContent = vtlib_purify(decode_html($fieldValue));
-                // Purify malicious html event attributes
-                $fieldValue = purifyHtmlEventAttributes(decode_html($purifiedContent),true);
-			}
 			if($fieldValue !== null) {
 				if(!is_array($fieldValue) && $fieldDataType != 'currency') {
 					$fieldValue = trim($fieldValue);

pkg/vtiger/modules/ModComments/modules/ModComments/actions/SaveAjax.php

@@ -73,7 +73,6 @@ class ModComments_SaveAjax_Action extends Vtiger_SaveAjax_Action {
 	 */
 	public function getRecordModelFromRequest(Vtiger_Request $request) {
 		$recordModel = parent::getRecordModelFromRequest($request);
-		
 		$recordModel->set('commentcontent', $request->getRaw('commentcontent'));
         $recordModel->set('is_private', $request->get('is_private'));