Fix XSS, prevent their storage

[galette.git] / galette / lib / Galette / Core / Preferences.php

diff --git a/galette/lib/Galette/Core/Preferences.php b/galette/lib/Galette/Core/Preferences.php
index 66395fa14d119900df283421716208ae6dd2fb8e..e488c4c8ce656dabfb25e583c528066db648893d 100644 (file)
--- a/galette/lib/Galette/Core/Preferences.php
+++ b/galette/lib/Galette/Core/Preferences.php
@@ -755,6 +755,9 @@ class Preferences
                     $this->errors[] = _T("- Invalid year for cards.");
                 }
                 break;
+            case 'pref_footer':
+                $value = $this->cleanHtmlValue($value);
+                break;
         }
 
         return $value;
@@ -961,6 +964,8 @@ class Preferences
                 && $name == 'pref_mail_method'
             ) {
                 return GaletteMail::METHOD_DISABLED;
+            } elseif ($name == 'pref_footer') {
+                return $this->cleanHtmlValue($this->prefs[$name]);
             } else {
                 if ($name == 'pref_adhesion_form' && $this->prefs[$name] == '') {
                     $this->prefs[$name] = self::$defaults['pref_adhesion_form'];
@@ -1294,4 +1299,19 @@ class Preferences
 
         return $this;
     }
+
+    /**
+     * Purify HTML value
+     *
+     * @param string $value Value to clean
+     *
+     * @return string
+     */
+    public function cleanHtmlValue(string $value): string
+    {
+        $config = \HTMLPurifier_Config::createDefault();
+        $config->set('Cache.SerializerPath', GALETTE_CACHE_DIR);
+        $purifier = new \HTMLPurifier($config);
+        return $purifier->purify($value);
+    }
 }