Security: Remove "Security::remove_XSS", fix htmleditor get value

jmontoyaa · jmontoyaa · commit d9c37bf1f3e4 · 2018-11-20T09:16:43.000+01:00
Related: 099ec41
diff --git a/main/inc/ajax/agenda.ajax.php b/main/inc/ajax/agenda.ajax.php
@@ -1,8 +1,10 @@
 <?php
 /* For licensing terms, see /license.txt */
+
 /**
  * Responses to AJAX calls.
  */
+
 $type = isset($_REQUEST['type']) && in_array($_REQUEST['type'], ['personal', 'course', 'admin']) ? $_REQUEST['type'] : 'personal';
 
 if ($type == 'personal') {
@@ -28,9 +30,9 @@
             break;
         }
         $add_as_announcement = isset($_REQUEST['add_as_annonuncement']) ? $_REQUEST['add_as_annonuncement'] : null;
-        $title = isset($_REQUEST['title']) ? Security::remove_XSS($_REQUEST['title']) : null;
-        $content = isset($_REQUEST['content']) ? Security::remove_XSS($_REQUEST['content']) : null;
-        $comment = isset($_REQUEST['comment']) ? Security::remove_XSS($_REQUEST['comment']) : null;
+        $title = isset($_REQUEST['title']) ? $_REQUEST['title'] : null;
+        $content = isset($_REQUEST['content']) ? $_REQUEST['content'] : null;
+        $comment = isset($_REQUEST['comment']) ? $_REQUEST['comment'] : null;
         $userToSend = isset($_REQUEST['users_to_send']) ? $_REQUEST['users_to_send'] : [];
 
         echo $agenda->addEvent(
diff --git a/main/inc/lib/formvalidator/Element/HtmlEditor.php b/main/inc/lib/formvalidator/Element/HtmlEditor.php
@@ -31,7 +31,7 @@ public function __construct(
         $config = []
     ) {
         if (empty($name)) {
-            return false;
+            throw new \Exception('Name is required');
         }
 
         parent::__construct($name, $elementLabel, $attributes);
@@ -54,9 +54,9 @@ public function __construct(
      */
     public function toHtml()
     {
-        $value = Security::remove_XSS($this->getValue());
         if ($this->editor) {
             if ($this->editor->getConfigAttribute('fullPage')) {
+                $value = $this->getValue();
                 if (strlen(trim($value)) == 0) {
                     // TODO: To be considered whether here to add
                     // language and character set declarations.
@@ -70,10 +70,9 @@ public function toHtml()
             return $this->getFrozenHtml();
         } else {
             $styleCss = $this->editor->getConfigAttribute('style');
+            $style = false;
             if ($styleCss) {
                 $style = true;
-            } else {
-                $style = false;
             }
 
             return $this->buildEditor($style);
@@ -87,7 +86,7 @@ public function toHtml()
      */
     public function getFrozenHtml()
     {
-        return $this->getValue();
+        return $this->getCleanValue();
     }
 
     /**
@@ -99,9 +98,9 @@ public function buildEditor($style = false)
     {
         $result = '';
         if ($this->editor) {
-            $this->editor->value = Security::remove_XSS($this->getValue());
+            $this->editor->value = $this->getCleanValue();
             $this->editor->setName($this->getName());
-            if ($style == true) {
+            if ($style === true) {
                 $result = $this->editor->createHtmlStyle();
             } else {
                 $result = $this->editor->createHtml();
diff --git a/main/inc/lib/pear/HTML/QuickForm/element.php b/main/inc/lib/pear/HTML/QuickForm/element.php
@@ -253,12 +253,30 @@ public function setValue($value)
      */
     public function getValue()
     {
-        // interface
         return null;
-    } // end func getValue
+    }
 
-    // }}}
-    // {{{ freeze()
+    /**
+     * @return string
+     */
+    public function getCleanValue()
+    {
+        $value = $this->cleanValueFromParameter($this->getValue());
+
+        return $value;
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return string
+     */
+    public function cleanValueFromParameter($value)
+    {
+        $value = @htmlspecialchars($value, ENT_COMPAT, HTML_Common::charset());
+
+        return $value;
+    }
 
     /**
      * Freeze the element so that only its value is returned
@@ -302,12 +320,16 @@ public function getFrozenHtml()
         // Modified by Ivan Tcholakov, 16-MAR-2010.
         //return ('' != $value? htmlspecialchars($value): '&nbsp;') .
         //       $this->_getPersistantData();
+        if (!empty($value)) {
+            $value = $this->getCleanValue();
+        } else {
+            $value = '&nbsp;';
+        }
+
+        $value .= $this->_getPersistantData();
 
-        $value =  ('' != $value ? @htmlspecialchars($value, ENT_COMPAT, HTML_Common::charset()): '&nbsp;') .
-               $this->_getPersistantData();
         return '<span class="freeze">'.$value.'</span>';
-        //
-    } //end func getFrozenHtml
+    }
 
    /**
     * Used by getFrozenHtml() to pass the element's value if _persistantFreeze is on
