Security: fix multiple XSS vulnerabilities + fix search tags with special chars

[github/shaarli/Shaarli.git] / application / front / controller / admin / ManageShaareController.php
diff --git a/application/front/controller/admin/ManageShaareController.php b/application/front/controller/admin/ManageShaareController.php

index 3aa484239e71b62539157e20ba7b9f70b15e543c..bb083486591055b5eddd7c3a75610b69d869eb33 100644 (file)
--- a/application/front/controller/admin/ManageShaareController.php
+++ b/application/front/controller/admin/ManageShaareController.php
@@ -69,7 +69,7 @@ class ManageShaareController extends ShaarliAdminController
                          $retrieveDescription
                      )
                  );
-                if (! empty($title) && strtolower($charset) !== 'utf-8') {
+                if (! empty($title) && strtolower($charset) !== 'utf-8' && mb_check_encoding($charset)) {
                      $title = mb_convert_encoding($title, 'utf-8', $charset);
                  }
              }
@@ -78,13 +78,13 @@ class ManageShaareController extends ShaarliAdminController
                  $title = $this->container->conf->get('general.default_note_title', t('Note: '));
              }
  
-            $link = escape([
+            $link = [
                  'title' => $title,
                  'url' => $url ?? '',
                  'description' => $description ?? '',
                  'tags' => $tags ?? '',
                  'private' => $private,
-            ]);
+            ];
          } else {
              $formatter = $this->container->formatterFactory->getFormatter('raw');
              $link = $formatter->format($bookmark);
@@ -127,7 +127,7 @@ class ManageShaareController extends ShaarliAdminController
          $this->checkToken($request);
  
          // lf_id should only be present if the link exists.
-        $id = $request->getParam('lf_id') ? intval(escape($request->getParam('lf_id'))) : null;
+        $id = $request->getParam('lf_id') !== null ? intval(escape($request->getParam('lf_id'))) : null;
          if (null !== $id && true === $this->container->bookmarkService->exists($id)) {
              // Edit
              $bookmark = $this->container->bookmarkService->get($id);
@@ -152,7 +152,7 @@ class ManageShaareController extends ShaarliAdminController
          // To preserve backward compatibility with 3rd parties, plugins still use arrays
          $formatter = $this->container->formatterFactory->getFormatter('raw');
          $data = $formatter->format($bookmark);
-        $data = $this->executeHooks('save_link', $data);
+        $this->executePageHooks('save_link', $data);
  
          $bookmark->fromArray($data);
          $this->container->bookmarkService->set($bookmark);
@@ -169,7 +169,7 @@ class ManageShaareController extends ShaarliAdminController
          return $this->redirectFromReferer(
              $request,
              $response,
-            ['add-shaare', 'shaare'], ['addlink', 'post', 'edit_link'],
+            ['/admin/add-shaare', '/admin/shaare'], ['addlink', 'post', 'edit_link'],
              $bookmark->getShortUrl()
          );
      }
@@ -211,7 +211,7 @@ class ManageShaareController extends ShaarliAdminController
              }
  
              $data = $formatter->format($bookmark);
-            $this->container->pluginManager->executeHooks('delete_link', $data);
+            $this->executePageHooks('delete_link', $data);
              $this->container->bookmarkService->remove($bookmark, false);
              ++ $count;
          }
@@ -283,7 +283,7 @@ class ManageShaareController extends ShaarliAdminController
  
              // To preserve backward compatibility with 3rd parties, plugins still use arrays
              $data = $formatter->format($bookmark);
-            $this->container->pluginManager->executeHooks('save_link', $data);
+            $this->executePageHooks('save_link', $data);
              $bookmark->fromArray($data);
  
              $this->container->bookmarkService->set($bookmark, false);
@@ -325,7 +325,7 @@ class ManageShaareController extends ShaarliAdminController
  
          // To preserve backward compatibility with 3rd parties, plugins still use arrays
          $data = $formatter->format($bookmark);
-        $this->container->pluginManager->executeHooks('save_link', $data);
+        $this->executePageHooks('save_link', $data);
          $bookmark->fromArray($data);
  
          $this->container->bookmarkService->set($bookmark);
@@ -345,16 +345,16 @@ class ManageShaareController extends ShaarliAdminController
              $tags[BookmarkMarkdownFormatter::NO_MD_TAG] = 1;
          }
  
-        $data = [
+        $data = escape([
              'link' => $link,
              'link_is_new' => $isNew,
-            'http_referer' => escape($this->container->environment['HTTP_REFERER'] ?? ''),
+            'http_referer' => $this->container->environment['HTTP_REFERER'] ?? '',
              'source' => $request->getParam('source') ?? '',
              'tags' => $tags,
              'default_private_links' => $this->container->conf->get('privacy.default_private_links', false),
-        ];
+        ]);
  
-        $data = $this->executeHooks('render_editlink', $data);
+        $this->executePageHooks('render_editlink', $data, TemplatePage::EDIT_LINK);
  
          foreach ($data as $key => $value) {
              $this->assignView($key, $value);
@@ -368,19 +368,4 @@ class ManageShaareController extends ShaarliAdminController
  
          return $response->write($this->render(TemplatePage::EDIT_LINK));
      }
-
-    /**
-     * @param mixed[] $data Variables passed to the template engine
-     *
-     * @return mixed[] Template data after active plugins render_picwall hook execution.
-     */
-    protected function executeHooks(string $hook, array $data): array
-    {
-        $this->container->pluginManager->executeHooks(
-            $hook,
-            $data
-        );
-
-        return $data;
-    }
  }