From 01a8b77d0f511858b32fb2fa55e5fbc0612ce7b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Chili=C5=84ski?= <tomasz.chilinski@chilan.com>
Date: Sun, 17 Jan 2021 13:28:12 +0100
Subject: [PATCH] bugfix: avoid XSS in ticket and event forms (LMS #1910)

---
 lib/LMSManagers/LMSEventManager.php          |  4 ++--
 lib/LMSManagers/LMSHelpdeskManager.php       |  9 ++++++--
 templates/default/event/eventinfo.html       | 20 +++++++++---------
 templates/default/event/eventinfoshort.html  | 22 ++++++++++----------
 templates/default/event/eventlistboxrow.html | 10 ++++-----
 5 files changed, 35 insertions(+), 30 deletions(-)

diff --git a/lib/LMSManagers/LMSEventManager.php b/lib/LMSManagers/LMSEventManager.php
index a7a72416eb..2d320a93ab 100644
--- a/lib/LMSManagers/LMSEventManager.php
+++ b/lib/LMSManagers/LMSEventManager.php
@@ -34,7 +34,7 @@ public function EventAdd($event)
     {
         $args = array(
             'title' => $event['title'],
-            'description' => $event['description'],
+            'description' => Utils::removeInsecureHtml($event['description']),
             'date' => $event['date'],
             'begintime' => $event['begintime'],
             'enddate' => $event['enddate'],
@@ -89,7 +89,7 @@ public function EventUpdate($event)
     {
         $args = array(
             'title' => $event['title'],
-            'description' => $event['description'],
+            'description' => Utils::removeInsecureHtml($event['description']),
             'date' => $event['date'],
             'begintime' => $event['begintime'],
             'enddate' => $event['enddate'],
diff --git a/lib/LMSManagers/LMSHelpdeskManager.php b/lib/LMSManagers/LMSHelpdeskManager.php
index 4435082648..4cefeb5dd2 100644
--- a/lib/LMSManagers/LMSHelpdeskManager.php
+++ b/lib/LMSManagers/LMSHelpdeskManager.php
@@ -1019,6 +1019,11 @@ public function TicketMessageAdd($message, $files = null)
 
         $createtime = isset($message['createtime']) ? $message['createtime'] : time();
 
+        $body = preg_replace("/\r/", "", $message['body']);
+        if ($message['contenttype'] == 'text/html') {
+            $body = Utils::removeInsecureHtml($body);
+        }
+
         $this->db->Execute(
             'INSERT INTO rtmessages (ticketid, createtime, subject, body, userid, customerid, mailfrom,
 			inreplyto, messageid, replyto, headers, type, phonefrom, contenttype)
@@ -1027,7 +1032,7 @@ public function TicketMessageAdd($message, $files = null)
                 $message['ticketid'],
                 $createtime,
                 isset($message['subject']) ? $message['subject'] : '',
-                preg_replace("/\r/", "", $message['body']),
+                $body,
                 isset($message['userid']) ? $message['userid'] : Auth::GetCurrentUser(),
                 empty($message['customerid']) ? null : $message['customerid'],
                 isset($message['mailfrom']) ? $message['mailfrom'] : '',
@@ -1102,7 +1107,7 @@ public function TicketAdd($ticket, $files = null)
         if ($ticket['contenttype'] == 'text/plain') {
             $body = str_replace("\r", "", $ticket['body']);
         } else {
-            $body = $ticket['body'];
+            $body = Utils::removeInsecureHtml($ticket['body']);
         }
 
         $this->db->Execute('INSERT INTO rtmessages (ticketid, customerid, createtime,
diff --git a/templates/default/event/eventinfo.html b/templates/default/event/eventinfo.html
index d9a63d11b4..b174aea373 100644
--- a/templates/default/event/eventinfo.html
+++ b/templates/default/event/eventinfo.html
@@ -19,7 +19,7 @@ <H1>{$layout.pagetitle}</H1>
 			{trans("Title:")}
 		</TD>
 		<TD class="bold">
-			{$event.title}
+			{$event.title|escape}
 		</TD>
 	</TR>
     </THEAD>
@@ -129,7 +129,7 @@ <H1>{$layout.pagetitle}</H1>
 			<B>{trans("Last modified by:")}</B>
 		</TD>
 		<TD class="nobr">
-			<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername}</A>
+			<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername|escape}</A>
 		</TD>
 	</TR>
 {/if}
@@ -155,7 +155,7 @@ <H1>{$layout.pagetitle}</H1>
 			<B>{trans("Closed by")}:</B>
 		</TD>
 		<TD class="nobr">
-			<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername}</A>
+			<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername|escape}</A>
 		</TD>
 	</TR>
 {/if}
@@ -192,18 +192,18 @@ <H1>{$layout.pagetitle}</H1>
 		</TD>
 		<TD class="nobr">
 		{if $event.netnode_name}
-		{icon name="netnode"} <a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name}</a>
+		{icon name="netnode"} <a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name|escape}</a>
 		{if !empty($event.netnode_location)}
-		    <br>{icon name="location"} {$event.netnode_location}{/if}
+		    <br>{icon name="location"} {$event.netnode_location|escape}{/if}
                 {else}
                     {if $event.customername}
                         {icon name="customer"} <A href="?m=customerinfo&amp;id={$event.customerid}">{$event.customername|truncate:"30":"...":true}</A><br>
                        {if !empty($event.address_id)}
-                            {icon name="location"} {$event.location}
+                            {icon name="location"} {$event.location|escape}
                        {elseif !empty($event.nodeid)}
-                       <a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation}</a>
+                       <a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation|escape}</a>
                        {else}
-                           {icon name="location"} {$event.customerlocation}
+                           {icon name="location"} {$event.customerlocation|escape}
                        {/if}
                     {/if}
                 {/if}
@@ -218,7 +218,7 @@ <H1>{$layout.pagetitle}</H1>
 			{trans("Node:")}
 		</TD>
 		<TD class="nobr">
-			<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location}</a>
+			<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location|escape}</a>
 		</TD>
 	</TR>
 	{/if}
@@ -234,7 +234,7 @@ <H1>{$layout.pagetitle}</H1>
 			<TABLE WIDTH="95%" CELLPADDING="5">
 				<TR>
 					<TD class="fall superlight">
-						{$event.note|replace:"\n":"<BR>"}
+						{$event.note|escape|replace:"\n":"<BR>"}
 					</TD>
 				</TR>
 			</TABLE>
diff --git a/templates/default/event/eventinfoshort.html b/templates/default/event/eventinfoshort.html
index 18da7a3c97..22d4731319 100644
--- a/templates/default/event/eventinfoshort.html
+++ b/templates/default/event/eventinfoshort.html
@@ -24,7 +24,7 @@
             {trans("Title:")}
         </TD>
         <TD class="bold">
-            {$event.title}
+            {$event.title|escape}
         </TD>
     </TR>
     </THEAD>
@@ -130,7 +130,7 @@
                 {trans("Last modified by:")}
             </TD>
             <TD class="nobr">
-                <A href="?m=userinfo&id={$event.moduserid}">{$event.modusername}</A>
+                <A href="?m=userinfo&id={$event.moduserid}">{$event.modusername|escape}</A>
             </TD>
         </TR>
     {/if}
@@ -156,7 +156,7 @@
                 {trans("Closed by")}:
             </TD>
             <TD class="nobr">
-                <A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername}</A>
+                <A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername|escape}</A>
             </TD>
         </TR>
     {/if}
@@ -182,7 +182,7 @@
             {trans("Customer:")}
         </TD>
         <TD class="nobr">
-            <A href="?m=customerinfo&id={$event.customerid}">{$event.customername}</A>
+            <A href="?m=customerinfo&id={$event.customerid}">{$event.customername|escape}</A>
         </TD>
     </TR>
     {/if}
@@ -196,16 +196,16 @@
         </TD>
         <TD class="nobr">
         {if $event.netnode_name}
-            {icon name="netnode" class="fa-fw"}<a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name}</a>
-            {if !empty($event.netnode_location)}<br>{$event.netnode_location}{/if}
+            {icon name="netnode" class="fa-fw"}<a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name|escape}</a>
+            {if !empty($event.netnode_location)}<br>{$event.netnode_location|escape}{/if}
         {else}
             {if $event.customername}
                 {if !empty($event.address_id)}
-                    {$event.location}
+                    {$event.location|escape}
                 {elseif !empty($event.nodeid)}
-                    <a href="?m=nodeinfo&id={$event.nodeid}">{$event.nodelocation}</a>
+                    <a href="?m=nodeinfo&id={$event.nodeid}">{$event.nodelocation|escape}</a>
                 {else}
-		            {$event.customerlocation}
+		            {$event.customerlocation|escape}
                 {/if}
             {/if}
         {/if}
@@ -221,7 +221,7 @@
                 {trans("Node:")}
             </TD>
             <TD class="nobr">
-                <a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location}</a>
+                <a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location|escape}</a>
             </TD>
         </TR>
     {/if}
@@ -235,7 +235,7 @@
             </TD>
             <TD>
                 <div class="fall superlight eventinfoshort-textbox">
-                    {$event.note|replace:"\n":"<BR>"}
+                    {$event.note|escape|replace:"\n":"<BR>"}
                 </div>
             </TD>
         </TR>
diff --git a/templates/default/event/eventlistboxrow.html b/templates/default/event/eventlistboxrow.html
index 26808c3d83..5c5b8f35d0 100644
--- a/templates/default/event/eventlistboxrow.html
+++ b/templates/default/event/eventlistboxrow.html
@@ -38,9 +38,9 @@
         {/if}
     </TD>
     <TD data-target-url="?m=eventinfo&id={$event.id}">
-        <a href="?m=eventinfo&id={$event.id}"><i class="lms-ui-icon-timetable lms-ui-tooltip-eventinfoshort" data-resourceid="{$event.id}"></i> <span class="bold" {if !$event.closed}style="color:black"{/if}>{$event.title}</span></a>
+        <a href="?m=eventinfo&id={$event.id}"><i class="lms-ui-icon-timetable lms-ui-tooltip-eventinfoshort" data-resourceid="{$event.id}"></i> <span class="bold" {if !$event.closed}style="color:black"{/if}>{$event.title|escape}</span></a>
         {if !ConfigHelper::checkConfig('phpui.timetable_hide_description')}{if $event.description != ''}<br>{icon name="description"} {$event.description}{/if}{/if}
-        {if $event.note != ''}<span{if !$event.closed} style="color: red;"{/if}><br>{icon name="note"} {$event.note}</span>{/if}
+        {if $event.note != ''}<span{if !$event.closed} style="color: red;"{/if}><br>{icon name="note"} {$event.note|escape}</span>{/if}
     </TD>
     <TD class="nobr" colspan="2" data-target-url="?m=eventinfo&id={$event.id}">
         {if $event.netnode_name}
@@ -50,11 +50,11 @@
         {if $event.customername}
             {icon name="customer"} <A href="?m=customerinfo&amp;id={$event.customerid}">{$event.customername|truncate:"30":"...":true}</A><br>
         {if !empty($event.address_id)}
-            {icon name="location"} {$event.location}
+            {icon name="location"} {$event.location|escape}
         {elseif !empty($event.nodeid)}
-            <a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation}</a>
+            <a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation|escape}</a>
         {else}
-            {icon name="location"} {$event.customerlocation}
+            {icon name="location"} {$event.customerlocation|escape}
         {/if}
         {/if}
         {/if}