Sanitize text fields

JulianPrieber · JulianPrieber · commit cc6a1195b323 · 2024-02-05T19:03:49.000+01:00
diff --git a/app/Functions/functions.php b/app/Functions/functions.php
@@ -138,4 +138,16 @@ function footer($key)
         $title = env('TITLE_FOOTER_'.$upperStr);
     }
     return $title;
+}
+
+function strip_tags_except_allowed_protocols($str) {
+    preg_match_all('/<a[^>]+>(.*?)<\/a>/i', $str, $matches, PREG_SET_ORDER);
+
+    foreach ($matches as $val) {
+        if (!preg_match('/href=["\'](http:|https:|mailto:|tel:)[^"\']*["\']/', $val[0])) {
+            $str = str_replace($val[0], $val[1], $str);
+        }
+    }
+
+    return $str;
 }
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
@@ -264,9 +264,13 @@ public function saveLink(request $request)
                         'button_id' => "42",
                     ]);
                 }elseif($linkType->typename == "text"){
+                    $sanitizedText = $request->text;
+                    $sanitizedText = strip_tags($sanitizedText, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
+                    $sanitizedText = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $sanitizedText);
+                    $sanitizedText = strip_tags_except_allowed_protocols($sanitizedText);
                     $OrigLink->update([
                         'button_id' => "93",
-                        'title' => $request->text,
+                        'title' => $sanitizedText,
                     ]);
                 }elseif($linkType->typename == "email"){
                     $LinkURL = "mailto:".$LinkURL;
@@ -387,8 +391,12 @@ public function saveLink(request $request)
             }elseif($linkType->typename == "heading"){
                 $links->button_id = "42";
             }elseif($linkType->typename == "text"){
+                $sanitizedText = $request->text;
+                $sanitizedText = strip_tags($sanitizedText, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
+                $sanitizedText = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $sanitizedText);
+                $sanitizedText = strip_tags_except_allowed_protocols($sanitizedText);
                 $links->button_id = "93";
-                $links->title = $request->text;
+                $links->title = $sanitizedText;
             }elseif($linkType->typename == "email"){
                 $links->link = "mailto:".$links->link;
                 $links->button_id = $button?->id;
@@ -789,6 +797,7 @@ public function editPage(Request $request)
         $pageName = $request->littlelink_name;
         $pageDescription = strip_tags($request->pageDescription, '<a><p><strong><i><ul><ol><li><blockquote><h2><h3><h4>');
         $pageDescription = preg_replace("/<a([^>]*)>/i", "<a $1 rel=\"noopener noreferrer nofollow\">", $pageDescription);
+        $pageDescription = strip_tags_except_allowed_protocols($pageDescription);
         $name = $request->name;
         $checkmark = $request->checkmark;
         $sharebtn = $request->sharebtn;
