Sanitize family registration form data (#7063)

# Description & Issue number it closes  Strip tags and encode HTML characters in form data, preventing XSS. Resolves #7029 ## Screenshots (if appropriate)  None. ## How to test the changes? Manually testing using docker image. ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update # How Has This Been Tested?  Manually testing using docker image. # Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules
ChurchCRM · Jun 12, 2024 · 416ce93 · 416ce93
2 parents 6be4531 + 00a1d86
commit 416ce93
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/src/api/routes/public/public-register.php b/src/api/routes/public/public-register.php
@@ -19,10 +19,17 @@
 
 function registerFamilyAPI(Request $request, Response $response, array $args): Response
 {
-    $family = new Family();
+    $familyMetadata = [];
 
-    $familyMetadata = $request->getParsedBody();
+    foreach ($request->getParsedBody() as $key => $value) {
+        if (is_string($value)) {
+            $familyMetadata[$key] = htmlspecialchars(trim(strip_tags($value)), ENT_QUOTES, 'UTF-8');
+        } else {
+            $familyMetadata[$key] = $value;
+        }
+    };
 
+    $family = new Family();
     $family->setName($familyMetadata['Name']);
     $family->setAddress1($familyMetadata['Address1']);
     $family->setAddress2($familyMetadata['Address2']);
@@ -37,7 +44,6 @@ function registerFamilyAPI(Request $request, Response $response, array $args): R
     $family->setEnteredBy(Person::SELF_REGISTER);
     $family->setDateEntered(new DateTime());
 
-    $familyMembers = [];
     if (!$family->validate()) {
         return SlimUtils::renderJSON(
             $response,
@@ -48,6 +54,9 @@ function registerFamilyAPI(Request $request, Response $response, array $args): R
             400
         );
     }
+
+    $familyMembers = [];
+
     foreach ($familyMetadata['people'] as $personMetaData) {
         $person = new Person();
         $person->setEnteredBy(Person::SELF_REGISTER);
@@ -63,6 +72,7 @@ function registerFamilyAPI(Request $request, Response $response, array $args): R
         $person->setFlags($personMetaData['hideAge'] ? '1' : 0);
 
         $birthday = $personMetaData['birthday'];
+
         if (!empty($birthday)) {
             $birthdayDate = DateTime::createFromFormat('m/d/Y', $birthday);
             $person->setBirthDay($birthdayDate->format('d'));
@@ -76,17 +86,20 @@ function registerFamilyAPI(Request $request, Response $response, array $args): R
             return SlimUtils::renderJSON($response, ['error' => gettext('Validation Error'),
                 'failures' => ORMUtils::getValidationErrors($person->getValidationFailures())], 401);
         }
+
         $familyMembers[] = $person;
     }
 
     $family->save();
+
     foreach ($familyMembers as $person) {
         $person->setFamily($family);
         $family->addPerson($person);
         $person->save();
     }
 
     $family->save();
+
     return SlimUtils::renderJSON($response, $family->toArray());
 }
 
@@ -96,6 +109,7 @@ function registerPersonAPI(Request $request, Response $response, array $args): R
     $person->fromJSON($request->getBody());
     $person->setEnteredBy(Person::SELF_REGISTER);
     $person->setDateEntered(new DateTime());
+
     if (!$person->validate()) {
         return SlimUtils::renderJSON(
             $response,