bugfix: fixed XSS bugs in contact value presentation in customer form…

…s (LMS #1910)
chilek · Jan 14, 2021 · 6dce148 · 6dce148
1 parent 3b36912
commit 6dce148
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/lib/customercontacttypes.php b/lib/customercontacttypes.php
@@ -32,15 +32,15 @@ function format_customer_phone($contact)
     }
     return '<a href="?m=messageadd&customerid='  . $contact['customerid'] . '&type=' . MSG_SMS . '&contactid=' . $contact['id'] . '">'
         . '<i class="lms-ui-icon-quick-send"></i></a>'
-        . '&nbsp;<a class="phone_number" href="tel:' . $contact['contact'] . '">' . $contact['contact'] . '</a>&nbsp;'
+        . '&nbsp;<a class="phone_number" href="tel:' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>&nbsp;'
         . (isset($call_phone_url) ? '<a href="' . $call_phone_url . '"><i class="fas fa-phone"></i></a>' : '');
 }
 
 function format_customer_email($contact)
 {
     return '<a href="?m=messageadd&customerid='  . $contact['customerid'] . '&type=' . MSG_MAIL . '&contactid=' . $contact['id'] . '">'
         . '<i class="lms-ui-icon-quick-send"></i></a>'
-        . '&nbsp;<a href="mailto:' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+        . '&nbsp;<a href="mailto:' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
 }
 
 function format_customer_account($contact)
@@ -50,35 +50,35 @@ function format_customer_account($contact)
 
 function format_customer_url($contact)
 {
-    return '<a href="' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+    return '<a href="' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
 }
 
 function format_customer_im($contact)
 {
     switch ($contact['type'] & CONTACT_IM) {
         case CONTACT_IM_GG:
             return trans('Gadu-Gadu') . ': ' . '<IMG src="http://status.gadu-gadu.pl/users/status.asp?id=' . $contact['contact'] . '&styl=1" alt=""> '
-                . '<a href="gg:' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+                . '<a href="gg:' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
             break;
         case CONTACT_IM_YAHOO:
             return trans('Yahoo') . ': ' . '<IMG src="http://opi.yahoo.com/online?u=' . $contact['contact'] . '&m=g&t=5"  alt=""> '
-                . '<a href="ymsgr:sendIM?' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+                . '<a href="ymsgr:sendIM?' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
             break;
         case CONTACT_IM_SKYPE:
 //          return trans('Skype') . ': ' . '<IMG src="http://mystatus.skype.com/smallicon/' . $contact['contact'] . '"  alt=""> '
             return trans('Skype') . ': '
-                . '<a href="skype:' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+                . '<a href="skype:' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
             break;
         case CONTACT_IM_FACEBOOK:
             return trans('Facebook') . ': '
-                . '<a href="https://m.me/' . $contact['contact'] . '">' . $contact['contact'] . '</a>';
+                . '<a href="https://m.me/' . htmlspecialchars($contact['contact']) . '">' . htmlspecialchars($contact['contact']) . '</a>';
             break;
     }
 }
 
 function format_customer_representative($contact)
 {
-    return '<span class="bold">' . $contact['contact'] . '</span>';
+    return '<span class="bold">' . htmlspecialchars($contact['contact']) . '</span>';
 }
 
 function validate_customer_phones(&$customerdata, &$contacts, &$error)

diff --git a/templates/default/customer/customerinfobox.html b/templates/default/customer/customerinfobox.html
@@ -164,7 +164,7 @@
 											<TR{if ($contact.type & $smarty.const.CONTACT_DISABLED) == $smarty.const.CONTACT_DISABLED} class="blend"{/if}>
 												<TD class="customer-contact">
 													<div>
-													{if isset($properties.formatter)}{call_user_func($properties['formatter'], $contact)}{else}{$contact.contact}{/if}
+													{if isset($properties.formatter)}{call_user_func($properties['formatter'], $contact)}{else}{htmlspecialchars($contact.contact)}{/if}
 													{if $contact.typestr}[{$contact.typestr}]{/if}
 													{if $contact.name} ({htmlspecialchars($contact.name)|truncate:"40":"...":true}){/if}
 													</div>