fix xss vulnerability by adding sanitizer for input vars from post, get, cookie, request

2 files changed, 54 insertions, 0 deletions

diff --git a/functions/init.inc.php b/functions/init.inc.php
index 96dc27b..619dfa5 100644
--- a/functions/init.inc.php
+++ b/functions/init.inc.php
@@ -14,6 +14,7 @@ $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
 // Pull in the configuration and some functions.
 if (!defined('BASE')) define('BASE', './');
 include_once(BASE.'config.inc.php');
+include_once(BASE.'functions/sanitize.php');
 
 $cookie_name = 'phpicalendar_'.basename($default_path);
 if (isset($_COOKIE["$cookie_name"]) && !isset($_POST['unset'])) {
diff --git a/functions/sanitize.php b/functions/sanitize.php
new file mode 100644
index 0000000..5551d44
--- /dev/null
+++ b/functions/sanitize.php
@@ -0,0 +1,53 @@
+<?php
+foreach ($_REQUEST as $key=>$val){
+	switch ($key){
+		case 'event_data':
+			# modify this to allow or disallow different HTML tags in event popups
+			$allowed = "<p><br><b><i><em><a><img><div><span><ul><ol><li><h1><h2><h3><h4><h5><h6><hr><em><strong><small><table><tr><td><th>";
+			$val = strip_tags($val,$allowed)
+			break;
+		default:	
+			# cpath
+			$val = strip_tags($val);
+	}
+
+	$_REQUEST[$key] = $val;
+}
+foreach ($_POST as $key=>$val){
+	switch ($key){
+		case 'action':
+			$actions = array('login','logout','addupdate','delete');
+			if (!in_array($val,$actions)) $val = '';
+			break;
+		case 'date':
+		case 'time':
+			if (!is_int($val)) $val = '';
+			break;
+		default:	
+			$val = strip_tags($val);
+	}
+	$_POST[$key] = $val;
+
+}
+foreach ($_GET as $key=>$val){
+	switch ($key){
+		case 'getdate':
+			if (!is_int($val)) $val = '';
+			break;
+		default:	
+			$val = strip_tags($val);
+	}
+	$_GET[$key] = $val;
+
+}
+foreach ($_COOKIE as $key=>$val){
+	switch ($key){
+		case 'time':
+			if (!is_int($val)) $val = '';
+			break;
+		default:	
+		$val = strip_tags($val);
+	}
+	$_COOKIE[$key] = $val;
+}
+?>
\ No newline at end of file