Merge branch 'saas-cc-6055' into saas

airtime_mvc/application/Bootstrap.php

@@ -24,6 +24,7 @@ require_once "FileIO.php";
 require_once "OsPath.php";
 require_once "Database.php";
 require_once "ProvisioningHelper.php";
+require_once "SecurityHelper.php";
 require_once "GoogleAnalytics.php";
 require_once "Timezone.php";
 require_once "Auth.php";

airtime_mvc/application/common/SecurityHelper.php

@@ -1,11 +1,15 @@
 <?php
-/**
- * Created by PhpStorm.
- * User: asantoni
- * Date: 12/06/15
- * Time: 12:24 PM
- */
 
 class SecurityHelper {
 
+    public static function htmlescape_recursive(&$arr) {
+        foreach ($arr as $key => $val) {
+            if (is_array($val)) {
+                self::htmlescape_recursive($arr[$key]);
+            } else if (is_string($val)) {
+                $arr[$key] = htmlspecialchars($val, ENT_QUOTES);
+            }
+        }
+        return $arr;
+    }
 }

airtime_mvc/application/common/WidgetHelper.php

@@ -46,13 +46,14 @@ class WidgetHelper
             );
 
             $result[$dow[$i]] = $shows;
-
-            // XSS exploit prevention
-            self::convertSpecialChars($result, array("name", "url"));
-            // convert image paths to point to api endpoints
-            self::findAndConvertPaths($result);
         }
 
+        // XSS exploit prevention
+        SecurityHelper::htmlescape_recursive($result);
+
+        // convert image paths to point to api endpoints
+        self::findAndConvertPaths($result);
+
         return $result;
     }
 
@@ -124,37 +125,18 @@ class WidgetHelper
                 }
                 $result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows;
 
-                // XSS exploit prevention
-                self::convertSpecialChars($result, array("name", "url"));
-                // convert image paths to point to api endpoints
-                self::findAndConvertPaths($result);
-
             }
             $weekCounter += 1;
         }
 
-        return $result;
-    }
 
-    /**
-     * Go through a given array and sanitize any potentially exploitable fields
-     * by passing them through htmlspecialchars
-     *
-     * @param unknown $arr    the array to sanitize
-     * @param unknown $keys    indexes of values to be sanitized
-     */
-    public static function convertSpecialChars(&$arr, $keys)
-    {
-        foreach ($arr as &$a) {
-            if (is_array($a)) {
-                foreach ($keys as &$key) {
-                    if (array_key_exists($key, $a)) {
-                        $a[$key] = htmlspecialchars($a[$key]);
-                    }
-                }
-                self::convertSpecialChars($a, $keys);
-            }
-        }
+        // XSS exploit prevention
+        SecurityHelper::htmlescape_recursive($result);
+
+        // convert image paths to point to api endpoints
+        self::findAndConvertPaths($result);
+
+        return $result;
     }
 
     /**

airtime_mvc/application/controllers/ApiController.php

@@ -199,9 +199,7 @@ class ApiController extends Zend_Controller_Action
             } else {
                 $result = Application_Model_Schedule::GetPlayOrderRangeOld($limit);
             }
-    
-            // XSS exploit prevention
-            WidgetHelper::convertSpecialChars($result, array("name", "url"));
+
             // apply user-defined timezone, or default to station
             Application_Common_DateHelper::convertTimestampsToTimezone(
                 $result['currentShow'],
@@ -218,6 +216,10 @@ class ApiController extends Zend_Controller_Action
             $result["schedulerTime"] = Application_Common_DateHelper::UTCStringToTimezoneString($result["schedulerTime"], $timezone);
             $result["timezone"] = $upcase ? strtoupper($timezone) : $timezone;
             $result["timezoneOffset"] = Application_Common_DateHelper::getTimezoneOffset($timezone);
+
+            // XSS exploit prevention
+            SecurityHelper::htmlescape_recursive($result);
+
             // convert image paths to point to api endpoints
             WidgetHelper::findAndConvertPaths($result);
     
@@ -288,10 +290,12 @@ class ApiController extends Zend_Controller_Action
 
             $result = Application_Model_Schedule::GetPlayOrderRange($utcTimeEnd, $showsToRetrieve);
             
-            // XSS exploit prevention
-            WidgetHelper::convertSpecialChars($result, array("name", "url"));
             // apply user-defined timezone, or default to station
             $this->applyLiveTimezoneAdjustments($result, $timezone, $upcase);
+
+            // XSS exploit prevention
+            SecurityHelper::htmlescape_recursive($result);
+
             // convert image paths to point to api endpoints
             WidgetHelper::findAndConvertPaths($result);
             

airtime_mvc/application/controllers/EmbedController.php

@@ -28,7 +28,7 @@ class EmbedController extends Zend_Controller_Action
         $this->view->jquery = Application_Common_HTTPHelper::getStationUrl() . "js/libs/jquery-1.10.2.js";
         $this->view->muses_swf = Application_Common_HTTPHelper::getStationUrl() . "js/airtime/player/muses.swf";
         $this->view->metadata_api_url = Application_Common_HTTPHelper::getStationUrl() . "api/live-info";
-        $this->view->player_title = json_encode($request->getParam('title'));
+        $this->view->player_title = json_encode($this->view->escape($request->getParam('title')));
 
         $styleParam = $request->getParam('style');
         $player_style = isset($styleParam) ? $styleParam : "basic";
@@ -98,7 +98,7 @@ class EmbedController extends Zend_Controller_Action
         $weeklyScheduleData = WidgetHelper::getWeekInfoV2($this->getRequest()->getParam("timezone"));
 
         // Return only the current week's schedule data. In the future we may use the next week's data.
-        $this->view->weeklyScheduleData = $weeklyScheduleData[0];
+        $this->view->weeklyScheduleData = ($weeklyScheduleData[0]);
 
         $currentDay = new DateTime("now", new DateTimeZone(Application_Model_Preference::GetTimezone()));
         //day of the month without leading zeros (1 to 31)

airtime_mvc/application/controllers/LibraryController.php

@@ -413,7 +413,7 @@ class LibraryController extends Zend_Controller_Action
         $this->view->sEcho = $r["sEcho"];
         $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
         $this->view->iTotalRecords = $r["iTotalRecords"];
-        $this->view->files = $r["aaData"];
+        $this->view->files = SecurityHelper::htmlescape_recursive($r["aaData"]);
     }
 
     public function editFileMdAction()

airtime_mvc/application/controllers/PlayouthistoryController.php

@@ -89,6 +89,7 @@ class PlayouthistoryController extends Zend_Controller_Action
 	        $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
 	        $this->view->iTotalRecords = $r["iTotalRecords"];
 	        $this->view->history = $r["history"];
+            $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history);
         }
         catch (Exception $e) {
         	Logging::info($e);
@@ -112,7 +113,9 @@ class PlayouthistoryController extends Zend_Controller_Action
 	        $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"];
 	        $this->view->iTotalRecords = $r["iTotalRecords"];
 	        $this->view->history = $r["history"];
-    	}
+            $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history);
+
+        }
     	catch (Exception $e) {
     		Logging::info($e);
     		Logging::info($e->getMessage());
@@ -130,6 +133,7 @@ class PlayouthistoryController extends Zend_Controller_Action
 
     		$historyService = new Application_Service_HistoryService();
     		$shows = $historyService->getShowList($startsDT, $endsDT);
+            $shows = SecurityHelper::htmlescape_recursive($shows);
 
     		$this->_helper->json->sendJson($shows);
     	}

airtime_mvc/application/controllers/PluploadController.php

@@ -112,6 +112,6 @@ class PluploadController extends Zend_Controller_Action
         $this->view->sEcho = intval($request->getParam('sEcho'));
         $this->view->iTotalDisplayRecords = $numTotalDisplayUploads;
         $this->view->iTotalRecords = $numTotalRecentUploads;
-        $this->view->files = $uploadsArray;
+        $this->view->files = SecurityHelper::htmlescape_recursive($uploadsArray);
     }
 }

airtime_mvc/application/services/HistoryService.php

@@ -980,7 +980,7 @@ class Application_Service_HistoryService
 	        	$this->populateTemplateItem($values, $id, $instanceId);
 	        }
 	        else {
-	        	$json["form"] = $form;
+	        	$json["form"] = SecurityHelper::htmlescape_recursive($form);
 	        }
 
 	        return $json;
@@ -1008,7 +1008,8 @@ class Application_Service_HistoryService
 	            $this->populateTemplateFile($values, $id);
 	        }
 	        else {
-	        	$json["error"] = $msgs;
+	        	$json["error"] = $form->getErrorMessages();
+				$json["error"] = SecurityHelper::htmlescape_recursive($json["error"]);
 	        }
 
 	        return $json;

airtime_mvc/application/views/scripts/playlist/playlist.phtml

@@ -54,7 +54,7 @@ if (isset($this->obj)) {
         <dl class="zend_form">
             <dt id="description-label"><label for="description"><?php echo _("Description") ?></label></dt>
             <dd id="description-element">
-                <textarea cols="80" rows="24" id="description" name="description"><?php echo $this->obj->getDescription(); ?></textarea>
+                <textarea cols="80" rows="24" id="description" name="description"><?php echo $this->escape($this->obj->getDescription()); ?></textarea>
             </dd>
         </dl>
     </fieldset>