From befb8f4893df1f47d2d55748072d50b40d41714e Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Thu, 9 May 2024 20:02:25 +0530
Subject: [PATCH] Added vtlib helper method to remove quoted content in strings
 like strip_tags

---
 include/utils/VtlibUtils.php | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/include/utils/VtlibUtils.php b/include/utils/VtlibUtils.php
index 9f0390e74..f38cdcecf 100644
--- a/include/utils/VtlibUtils.php
+++ b/include/utils/VtlibUtils.php
@@ -733,6 +733,35 @@ function vtlib_purify($input, $ignore = false) {
     return $value;
 }
 
+/**
+ * Remove content within quotes (single/double/unbalanced)
+ * Helpful to keep away quote-injection xss attacks in the templates.
+ */
+function vtlib_strip_quoted($input) {
+    $output = $input;
+    /*
+     * Discard anything in "double quoted until'you find next double quote"
+     * or discard anything in 'single quoted until "you" find next single quote"
+     */
+    $qchar = '"';
+    $idx = strpos($input, $qchar);
+    if ($idx === false) { // no double-quote, find single-quote
+        $qchar = "'";
+        $idx = strpos($input, $qchar);
+    }
+    if ($idx !== false) {
+        $output = substr($input,0, $idx);
+        $idx = strpos($input, $qchar, $idx+1);
+        if ($idx === false) {
+            // unbalanced - eat all.
+            $idx = strlen($input)-1;
+        }
+        $input = substr($input, $idx+1);
+        $output .= vtlib_strip_quoted($input);
+    }
+    return $output;
+}
+
 /**
  * Function to replace values in multi dimentional array (str_replace will support only one level of array)
  * @param type $search
-- 
GitLab