Added HTML cleanning for

* add events * update events Change-Id: I2a7ea5dd833d1e97bb9c5bbc1b683fa96bbf2d12
2016-04-08 11:03:10 -03:00 · 2016-04-08 11:03:10 -03:00 · 1c302f6f51
parent 61e19ebae9
commit 1c302f6f51
3 changed files with 57 additions and 3 deletions
--- a/app/Http/Controllers/apis/protected/summit/OAuth2SummitApiController.php
+++ b/app/Http/Controllers/apis/protected/summit/OAuth2SummitApiController.php
@ -1,6 +1,7 @@
 <?php namespace App\Http\Controllers;

 use Exception;
+use libs\utils\HTMLCleaner;
 use models\exceptions\EntityNotFoundException;
 use models\exceptions\ValidationException;
 use models\summit\ISummitEventRepository;
@ -876,7 +877,13 @@ class OAuth2SummitApiController extends OAuth2ProtectedController
                );
            }

-            $event = $this->service->addEvent($summit, $data->all());
+            $fields = array
+            (
+                'title',
+                'description'
+            );
+
+            $event = $this->service->addEvent($summit, HTMLCleaner::cleanData($data->all(), $fields));

            return $this->created($event);
        }
@ -934,7 +941,13 @@ class OAuth2SummitApiController extends OAuth2ProtectedController
                );
            }

-            $event = $this->service->updateEvent($summit, $event_id, $data->all());
+            $fields = array
+            (
+                'title',
+                'description'
+            );
+
+            $event = $this->service->updateEvent($summit, $event_id, HTMLCleaner::cleanData($data->all(), $fields));

            return $this->ok($event);

--- a/app/Libs/utils/HTMLCleaner.php
+++ b/app/Libs/utils/HTMLCleaner.php
@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright 2016 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+namespace libs\utils;
+
+/**
+ * Class HTMLCleaner
+ * @package libs\utils
+ */
+final class HTMLCleaner
+{
+    /**
+     * @param array $data
+     * @param array $fields
+     * @return array
+     */
+    public static function cleanData(array $data, array $fields)
+    {
+        $config = \HTMLPurifier_Config::createDefault();
+        // Remove any CSS or inline styles
+        $config->set('CSS.AllowedProperties', array());
+        $purifier = new \HTMLPurifier($config);
+        foreach($fields as $field){
+            if(!isset($data[$field])) continue;
+            $data[$field] = $purifier->purify($data[$field]);
+        }
+        return $data;
+    }
+}
--- a/composer.json
+++ b/composer.json
@ -11,7 +11,8 @@
    "laravel/framework": "5.0.*",
    "predis/predis": "1.0.1",
    "php": ">=5.4.0",
-    "guzzlehttp/guzzle": "5.3.0"
+    "guzzlehttp/guzzle": "5.3.0",
+    "ezyang/htmlpurifier": "4.7.0"
  },
  "require-dev": {
    "phpunit/phpunit": "4.6.6",