Fix/url regex (#1842)

* fix: Tweak URL's regex to avoid XSS.

Thanks to @rgavilan for the feedback!
Closes #1840.

Signed-off-by: Rubén D <[email protected]>

* chore: Update dependencies.

Signed-off-by: Rubén D <[email protected]>

* chore: Use `ENT_QUOTES` flag for all `htmlspecialchars` calls.

Signed-off-by: Rubén D <[email protected]>

Author: nuxsmin

app/modules/web/themes/material-blue/views/account/account-editpass.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var callable       $_getvar
  * @var ThemeIcons     $icons

app/modules/web/themes/material-blue/views/account/account-history.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var callable       $_getvar
  * @var ThemeIcons     $icons

app/modules/web/themes/material-blue/views/account/account-link.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var callable       $_getvar
  * @var ThemeIcons     $icons

app/modules/web/themes/material-blue/views/account/search-rows.inc

@@ -134,7 +134,10 @@ $favoriteRouteOff = $_getvar('favoriteRouteOff');
                                     <?php echo htmlspecialchars($accountSearchItem->getShortUrl(), ENT_QUOTES); ?>
                                 </a>
                             <?php else: ?>
-                                <div class="field-text"><?php echo htmlspecialchars($accountSearchItem->getShortUrl(), ENT_QUOTES); ?></div>
+                                <div class="field-text"><?php echo htmlspecialchars(
+                                        $accountSearchItem->getShortUrl(),
+                                        ENT_QUOTES
+                                    ); ?></div>
                             <?php endif; ?>
                         </div>
                     <?php else: ?>
@@ -280,15 +283,20 @@ $favoriteRouteOff = $_getvar('favoriteRouteOff');
                         <?php if ($wikiFilter
                             && $accountSearchItem->isWikiMatch($wikiFilter)): ?>
                             <?php if (AccountSearchItem::$dokuWikiEnabled): ?>
-                                <a href="<?php echo $_getvar('wikiPageUrl'), urldecode($accountSearchData->getName()); ?>"
+                                <a href="<?php echo $_getvar('wikiPageUrl'), urlencode(
+                                    $accountSearchData->getName()
+                                ); ?>"
                                    target="_blank">
                                     <i class="material-icons"
                                        title="<?php echo __('Link to Wiki'); ?>">library_books</i>
                                 </a>
                                 <i class="btn-action material-icons fg-green100"
                                    title="<?php echo __('View at Wiki'); ?>"
                                    data-action-route="<?php echo ActionsInterface::WIKI_VIEW; ?>"
-                                   data-pagename="<?php echo htmlspecialchars($accountSearchData->getName(), ENT_QUOTES); ?>"
+                                   data-pagename="<?php echo htmlspecialchars(
+                                       $accountSearchData->getName(),
+                                       ENT_QUOTES
+                                   ); ?>"
                                    data-onclick="wiki/show">library_books</i>
                             <?php else: ?>
                                 <a href="<?php echo $_getvar('wikiPageUrl'), urlencode($accountSearchData->getName()); ?>"

app/modules/web/themes/material-blue/views/config/general-site.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var ThemeIcons $icons
  * @var ConfigData $configData
@@ -109,7 +132,9 @@ use SP\Mvc\View\Template;
                  class="icon material-icons <?php echo $icons->getIconHelp()->getClass(); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
             <div class="mdl-tooltip mdl-tooltip--large" for="help-app_url">
                 <p>
-                    <?php echo __('Sets the application URL when accessing through a reverse proxy or load balancer.'); ?>
+                    <?php echo __(
+                        'Sets the application URL when accessing through a reverse proxy or load balancer.'
+                    ); ?>
                 </p>
             </div>
         </td>

app/modules/web/themes/material-blue/views/config/wiki-dokuwiki.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var ThemeIcons $icons
  * @var ConfigData $configData
@@ -97,7 +120,8 @@ use SP\Mvc\View\Template;
             <td class="descField">
                 <?php echo __('Base URL'); ?>
                 <div id="help-dokuwiki_urlbase"
-                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
+                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(
+                     ); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
                 <div class="mdl-tooltip mdl-tooltip--large"
                      for="help-dokuwiki_urlbase">
                     <p>
@@ -128,7 +152,8 @@ use SP\Mvc\View\Template;
             <td class="descField">
                 <?php echo __('User'); ?>
                 <div id="help-dokuwiki_user"
-                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
+                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(
+                     ); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
                 <div class="mdl-tooltip mdl-tooltip--large"
                      for="help-dokuwiki_user">
                     <p>

app/modules/web/themes/material-blue/views/config/wiki.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var ThemeIcons $icons
  * @var ConfigData $configData
@@ -84,7 +107,8 @@ use SP\Mvc\View\Template;
             <td class="descField">
                 <?php echo __('Wiki page URL'); ?>
                 <div id="help-wiki_pageurl"
-                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
+                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(
+                     ); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
                 <div class="mdl-tooltip mdl-tooltip--large"
                      for="help-wiki_pageurl">
                     <p>
@@ -119,7 +143,8 @@ use SP\Mvc\View\Template;
             <td class="descField">
                 <?php echo __('Account name prefix'); ?>
                 <div id="help-wikifilter"
-                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
+                     class="icon material-icons <?php echo $icons->getIconHelp()->getClass(
+                     ); ?>"><?php echo $icons->getIconHelp()->getIcon(); ?></div>
                 <div class="mdl-tooltip mdl-tooltip--large"
                      for="help-wikifilter">
                     <p>

composer.json

@@ -65,7 +65,6 @@
   },
   "config": {
     "classmap-authoritative": false,
-    "platform-check": false,
     "platform": {
       "php": "7.4"
     }