Fix AJAX modal url/id escaping

glpi-project · Feb 12, 2025 · b3eec2b · b3eec2b
1 parent 8758a34
commit b3eec2b
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/phpunit/functional/HtmlTest.php b/phpunit/functional/HtmlTest.php
@@ -1129,4 +1129,23 @@ public function testSanitizeInputName(string $name, string $expected): void
     {
         $this->assertEquals($expected, \Html::sanitizeInputName($name));
     }
+
+    public static function domIdProvider(): iterable
+    {
+        yield [
+            'name'      => 'itemtype',
+            'expected'  => 'itemtype',
+        ];
+
+        yield [
+            'name'      => 'foo\'"$**_23-1',
+            'expected'  => 'foo_23-1',
+        ];
+    }
+
+    #[DataProvider('domIdProvider')]
+    public function testSanitizeDomId(string $name, string $expected): void
+    {
+        $this->assertEquals($expected, \Html::sanitizeInputName($name));
+    }
 }
diff --git a/src/Ajax.php b/src/Ajax.php
@@ -175,8 +175,7 @@ public static function createIframeModalWindow($domid, $url, $options = [])
 
         $rand = mt_rand();
 
-        $domid  = htmlescape($domid);
-        $url    = htmlescape($url);
+        $domid  = Html::sanitizeDomId($domid);
         $title  = htmlescape($param['title']);
         $class  = htmlescape($param['dialog_class']);
         $height = (int) $param['height'];
@@ -202,6 +201,7 @@ public static function createIframeModalWindow($domid, $url, $options = [])
 
         $reloadonclose = $param['reloadonclose'] ? "true" : "false";
         $autoopen      = $param['autoopen'] ? "true" : "false";
+        $url           = json_encode($url);
         $js = <<<JAVASCRIPT
       $(function() {
          myModalEl{$rand} = document.getElementById('{$domid}');
@@ -211,7 +211,7 @@ public static function createIframeModalWindow($domid, $url, $options = [])
          $(myModalEl{$rand}).appendTo($("body"));
 
          myModalEl{$rand}.addEventListener('show.bs.modal', function () {
-            $('#iframe{$domid}').attr('src','{$url}').removeClass('hidden');
+            $('#iframe{$domid}').attr('src', {$url}).removeClass('hidden');
          });
          myModalEl{$rand}.addEventListener('hide.bs.modal', function () {
             if ({$reloadonclose}) {

diff --git a/src/Html.php b/src/Html.php
@@ -6573,4 +6573,15 @@ public static function sanitizeInputName(string $name): string
     {
         return preg_replace('/[^a-z0-9_\[\]\-]/i', '', $name);
     }
+
+    /**
+     * Sanitize a DOM ID to prevent XSS.
+     *
+     * @param string $name
+     * @return string
+     */
+    public static function sanitizeDomId(string $name): string
+    {
+        return preg_replace('/[^a-z0-9_-]/i', '', $name);
+    }
 }