From e998c059b6162286cf70686f61884fd249dfa38a Mon Sep 17 00:00:00 2001 From: Philipp Date: Sun, 14 May 2023 20:31:20 +0200 Subject: [PATCH 1/3] Escape message for notifications --- .../Notifications/Entity/Notify.php | 2 +- .../Notifications/Entity/NotifyTest.php | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 tests/src/Navigation/Notifications/Entity/NotifyTest.php diff --git a/src/Navigation/Notifications/Entity/Notify.php b/src/Navigation/Notifications/Entity/Notify.php index b7a007a2f..45f450b1d 100644 --- a/src/Navigation/Notifications/Entity/Notify.php +++ b/src/Navigation/Notifications/Entity/Notify.php @@ -134,6 +134,6 @@ class Notify extends BaseEntity */ public static function formatMessage(string $name, string $message): string { - return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', $message); + return str_replace('{0}', '' . strip_tags(BBCode::convert($name)) . '', htmlspecialchars($message)); } } diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php new file mode 100644 index 000000000..2021759e0 --- /dev/null +++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php @@ -0,0 +1,28 @@ + [ + 'name' => 'Whiskers', + 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ', + 'assertion' => 'Whiskers commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>', + ], + ]; + } + + /** + * @dataProvider dataFormatNotify + */ + public function testFormatNotify(string $name, string $message, string $assertion) + { + self::assertEquals($assertion, Notify::formatMessage($name, $message)); + } +} From 10aec7120a64c5f248228b37514647a0a132eb65 Mon Sep 17 00:00:00 2001 From: Philipp Date: Sun, 14 May 2023 20:32:34 +0200 Subject: [PATCH 2/3] add license --- .../Notifications/Entity/NotifyTest.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php index 2021759e0..8db0d3ae8 100644 --- a/tests/src/Navigation/Notifications/Entity/NotifyTest.php +++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php @@ -1,4 +1,23 @@ . + * + */ namespace Friendica\Test\src\Navigation\Notifications\Entity; From 07856ee6b4ef6c95bece8afa5937a4a8119a9d37 Mon Sep 17 00:00:00 2001 From: Philipp Date: Sun, 14 May 2023 20:34:42 +0200 Subject: [PATCH 3/3] PHP-CS --- tests/src/Navigation/Notifications/Entity/NotifyTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/src/Navigation/Notifications/Entity/NotifyTest.php b/tests/src/Navigation/Notifications/Entity/NotifyTest.php index 8db0d3ae8..fac8e4829 100644 --- a/tests/src/Navigation/Notifications/Entity/NotifyTest.php +++ b/tests/src/Navigation/Notifications/Entity/NotifyTest.php @@ -30,8 +30,8 @@ class NotifyTest extends FixtureTest { return [ 'xss-notify' => [ - 'name' => 'Whiskers', - 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ', + 'name' => 'Whiskers', + 'message' => '{0} commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from ', 'assertion' => 'Whiskers commented in the thread "If my username causes a pop up in a piece of software, that softwar…" from <script>alert("Tek");</script>', ], ];