From 54063e63cd9902555fe52c4dbd8a6b5129520e71 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Wed, 5 Jul 2017 22:38:31 -0600
Subject: [PATCH] Add rich input sanitization with htmlpurifier

---
 action.php         |  9 +++++--
 composer.json      |  3 ++-
 composer.lock      | 60 +++++++++++++++++++++++++++++++++++++++++-----
 pages/edittask.php |  6 ++---
 required.php       |  4 ++--
 5 files changed, 68 insertions(+), 14 deletions(-)

diff --git a/action.php b/action.php
index 99712b3..fef297f 100644
--- a/action.php
+++ b/action.php
@@ -102,12 +102,17 @@ switch ($VARS['action']) {
             die();
         }
 
+        $config = HTMLPurifier_Config::createDefault();
+        $purifier = new HTMLPurifier($config);
+        $taskdesc = $purifier->purify($VARS['taskdesc']);
+        //$taskdesc = $VARS['taskdesc'];
+
         if (is_empty($VARS['taskid'])) {
-            $database->insert('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $VARS['taskdesc'], 'taskcreatoruid' => $_SESSION['uid']]);
+            $database->insert('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $taskdesc, 'taskcreatoruid' => $_SESSION['uid']]);
             $VARS['taskid'] = $database->id();
             header('Location: app.php?page=edittask&taskid=' . $database->id() . '&msg=task_saved');
         } else {
-            $database->update('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $VARS['taskdesc']], ['taskid' => $VARS['taskid']]);
+            $database->update('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $taskdesc], ['taskid' => $VARS['taskid']]);
             header('Location: app.php?page=edittask&taskid=' . $VARS['taskid'] . '&msg=task_saved');
         }
 
diff --git a/composer.json b/composer.json
index 5afe65b..1120b75 100644
--- a/composer.json
+++ b/composer.json
@@ -4,7 +4,8 @@
     "type": "project",
     "require": {
         "catfan/medoo": "^1.2",
-        "guzzlehttp/guzzle": "^6.2"
+        "guzzlehttp/guzzle": "^6.2",
+        "ezyang/htmlpurifier": "^4.9"
     },
     "license": "OTHER",
     "authors": [
diff --git a/composer.lock b/composer.lock
index 1896297..5d26db5 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,8 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "1c8b61c5d506ae016285b99b20040cf0",
+    "hash": "8e38254e3739787b4de62b754445585d",
+    "content-hash": "63c81acf75eb3b29eebe3171a18b4d9f",
     "packages": [
         {
             "name": "catfan/medoo",
@@ -63,7 +64,54 @@
                 "sql",
                 "sqlite"
             ],
-            "time": "2017-05-22T04:39:48+00:00"
+            "time": "2017-05-22 04:39:48"
+        },
+        {
+            "name": "ezyang/htmlpurifier",
+            "version": "v4.9.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ezyang/htmlpurifier.git",
+                "reference": "95e1bae3182efc0f3422896a3236e991049dac69"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/95e1bae3182efc0f3422896a3236e991049dac69",
+                "reference": "95e1bae3182efc0f3422896a3236e991049dac69",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.2"
+            },
+            "require-dev": {
+                "simpletest/simpletest": "^1.1"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "HTMLPurifier": "library/"
+                },
+                "files": [
+                    "library/HTMLPurifier.composer.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "LGPL"
+            ],
+            "authors": [
+                {
+                    "name": "Edward Z. Yang",
+                    "email": "admin@htmlpurifier.org",
+                    "homepage": "http://ezyang.com"
+                }
+            ],
+            "description": "Standards compliant HTML filter written in PHP",
+            "homepage": "http://htmlpurifier.org/",
+            "keywords": [
+                "html"
+            ],
+            "time": "2017-06-03 02:28:16"
         },
         {
             "name": "guzzlehttp/guzzle",
@@ -125,7 +173,7 @@
                 "rest",
                 "web service"
             ],
-            "time": "2017-02-28T22:50:30+00:00"
+            "time": "2017-02-28 22:50:30"
         },
         {
             "name": "guzzlehttp/promises",
@@ -176,7 +224,7 @@
             "keywords": [
                 "promise"
             ],
-            "time": "2016-12-20T10:07:11+00:00"
+            "time": "2016-12-20 10:07:11"
         },
         {
             "name": "guzzlehttp/psr7",
@@ -241,7 +289,7 @@
                 "uri",
                 "url"
             ],
-            "time": "2017-03-20T17:10:46+00:00"
+            "time": "2017-03-20 17:10:46"
         },
         {
             "name": "psr/http-message",
@@ -291,7 +339,7 @@
                 "request",
                 "response"
             ],
-            "time": "2016-08-06T14:39:51+00:00"
+            "time": "2016-08-06 14:39:51"
         }
     ],
     "packages-dev": [],
diff --git a/pages/edittask.php b/pages/edittask.php
index b6ac8b0..16467df 100644
--- a/pages/edittask.php
+++ b/pages/edittask.php
@@ -57,10 +57,10 @@ if (!is_empty($taskid) && $database->has('assigned_tasks', ['taskid' => $taskid]
     <?php lang("assigned to") ?>: 
     <input type="text" id="assigned-to-box" name="assignedto" class="form-control" autocomplete="off" value="<?php echo (is_null($tass['userid']) ? "" : getUserByID($tass['userid'])['username'] ); ?>" placeholder="<?php lang("nobody") ?>" />
     <br />
-    <?php lang("assigned on 2") ?>: <input type="datetime-local" class="form-control" id="assigned-on-box" name="taskassignedon" value="<?php echo date('o-m-d\TH:i:s', strtotime($task['taskassignedon'])); ?>" />
-    <p><i class="fa fa-info-circle"></i> <?php lang("use now tip") ?></p>
+    <?php lang("assigned on 2") ?>: <input type="datetime-local" class="form-control" id="assigned-on-box" name="taskassignedon" value="<?php echo (is_empty($task['taskassignedon']) ? "" : date('o-m-d\TH:i:s', strtotime($task['taskassignedon']))); ?>" />
+    <!--<p><i class="fa fa-info-circle"></i> <?php lang("use now tip") ?></p>-->
     <br />
-    <?php lang("due by 2") ?>: <input type="datetime-local" class="form-control" id="due-by-box" name="taskdueby" value="<?php echo date('o-m-d\TH:i:s', strtotime($task['taskdueby'])); ?>"/>
+    <?php lang("due by 2") ?>: <input type="datetime-local" class="form-control" id="due-by-box" name="taskdueby" value="<?php echo (is_empty($task['taskdueby']) ? "" : date('o-m-d\TH:i:s', strtotime($task['taskdueby']))); ?>"/>
     <br />
     <button id="savebtn" type="submit" class="btn btn-success"><i class="fa fa-floppy-o"></i> <?php lang("save task") ?></button>
     <a class="btn btn-warning" href="app.php?page=taskman"><i class="fa fa-times"></i> <?php lang("exit") ?></a>
diff --git a/required.php b/required.php
index 4e29400..89913e0 100644
--- a/required.php
+++ b/required.php
@@ -156,7 +156,7 @@ function checkDBError($specials = []) {
 }
 
 /*
- * http://stackoverflow.com/a/20075147/2534036
+ * http://stackoverflow.com/a/20075147
  */
 if (!function_exists('base_url')) {
 
@@ -200,7 +200,7 @@ function redirectIfNotLoggedIn() {
 }
 
 /**
- * http://stackoverflow.com/a/24401462/2534036
+ * http://stackoverflow.com/a/24401462
  */
 function checkIsAValidDate($myDateString) {
     return (bool) strtotime($myDateString);