Merge branch 'saas-cc-6055' into saas

2015-06-16 16:13:40 -04:00 · 2015-06-16 16:13:40 -04:00 · 0f58e315e6
commit 0f58e315e6
parent 0b6fb9882a b4c9a77e7c
10 changed files with 46 additions and 50 deletions
--- a/airtime_mvc/application/common/SecurityHelper.php
+++ b/airtime_mvc/application/common/SecurityHelper.php
@ -1,11 +1,15 @@
 <?php
-/**
- * Created by PhpStorm.
- * User: asantoni
- * Date: 12/06/15
- * Time: 12:24 PM
- */

 class SecurityHelper {

+    public static function htmlescape_recursive(&$arr) {
+        foreach ($arr as $key => $val) {
+            if (is_array($val)) {
+                self::htmlescape_recursive($arr[$key]);
+            } else if (is_string($val)) {
+                $arr[$key] = htmlspecialchars($val, ENT_QUOTES);
+            }
+        }
+        return $arr;
+    }
 }
--- a/airtime_mvc/application/common/WidgetHelper.php
+++ b/airtime_mvc/application/common/WidgetHelper.php
@ -46,13 +46,14 @@ class WidgetHelper
            );

            $result[$dow[$i]] = $shows;
-
-            // XSS exploit prevention
-            self::convertSpecialChars($result, array("name", "url"));
-            // convert image paths to point to api endpoints
-            self::findAndConvertPaths($result);
        }

+        // XSS exploit prevention
+        SecurityHelper::htmlescape_recursive($result);
+
+        // convert image paths to point to api endpoints
+        self::findAndConvertPaths($result);
+
        return $result;
    }

@ -124,37 +125,18 @@ class WidgetHelper
                }
                $result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows;

-                // XSS exploit prevention
-                self::convertSpecialChars($result, array("name", "url"));
-                // convert image paths to point to api endpoints
-                self::findAndConvertPaths($result);
-
            }
            $weekCounter += 1;
        }

-        return $result;
-    }

-    /**
-     * Go through a given array and sanitize any potentially exploitable fields
-     * by passing them through htmlspecialchars
-     *
-     * @param unknown $arr    the array to sanitize
-     * @param unknown $keys    indexes of values to be sanitized
-     */
-    public static function convertSpecialChars(&$arr, $keys)
-    {
-        foreach ($arr as &$a) {
-            if (is_array($a)) {
-                foreach ($keys as &$key) {
-                    if (array_key_exists($key, $a)) {
-                        $a[$key] = htmlspecialchars($a[$key]);
-                    }
-                }
-                self::convertSpecialChars($a, $keys);
-            }
-        }
+        // XSS exploit prevention
+        SecurityHelper::htmlescape_recursive($result);
+
+        // convert image paths to point to api endpoints
+        self::findAndConvertPaths($result);
+
+        return $result;
    }

    /**