From 3002ed9e93ea39b7c341b0b3a24f0d4f654ef062 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 29 Aug 2017 22:22:53 +0200
Subject: Security: Only allow angels with admin_news_html privilege to use
 HTML

---
 db/update.sql                  | 22 +++++++++++++---------
 includes/pages/admin_news.php  | 11 ++++++++---
 includes/pages/admin_user.php  |  2 +-
 includes/pages/guest_login.php |  2 +-
 includes/pages/user_news.php   | 12 +++++++++---
 includes/sys_auth.php          |  2 +-
 includes/sys_form.php          | 15 ++++++++-------
 7 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/db/update.sql b/db/update.sql
index dd203a86..5d93e230 100644
--- a/db/update.sql
+++ b/db/update.sql
@@ -8,19 +8,23 @@ ALTER TABLE `User` ADD COLUMN `email_by_human_allowed` BOOLEAN NOT NULL;
 -- No Self Sign Up for some Angel Types
 ALTER TABLE AngelTypes ADD no_self_signup TINYINT(1) NOT NULL;
 
-ALTER TABLE `AngelTypes`  
-  ADD `contact_user_id` INT NULL,  
-  ADD `contact_name` VARCHAR(250) NULL,  
-  ADD `contact_dect` VARCHAR(5) NULL,  
-  ADD `contact_email` VARCHAR(250) NULL,  
+ALTER TABLE `AngelTypes`
+  ADD `contact_user_id` INT NULL,
+  ADD `contact_name` VARCHAR(250) NULL,
+  ADD `contact_dect` VARCHAR(5) NULL,
+  ADD `contact_email` VARCHAR(250) NULL,
   ADD INDEX  (`contact_user_id`);
-ALTER TABLE `AngelTypes` 
+ALTER TABLE `AngelTypes`
   ADD  FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE;
 
-  
 INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype');
 
-
 -- DB Performance
 ALTER TABLE `Shifts` ADD INDEX(`start`);
-ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
\ No newline at end of file
+ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
+
+-- Security
+UPDATE `Groups` SET UID = UID * 10;
+INSERT INTO `Groups` (Name, UID) VALUES ('News Admin', -65);
+INSERT INTO `Privileges` (id, name, `desc`) VALUES (42, 'admin_news_html', 'Use HTML in news');
+INSERT INTO `GroupPrivileges` (group_id, privilege_id) VALUES (-65, 14), (-65, 42);
diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php
index 64a54f4b..bc78a6b1 100644
--- a/includes/pages/admin_news.php
+++ b/includes/pages/admin_news.php
@@ -7,7 +7,7 @@ use Engelsystem\Database\DB;
  */
 function admin_news()
 {
-    global $user;
+    global $user, $privileges;
     $request = request();
 
     if (!$request->has('action')) {
@@ -51,6 +51,11 @@ function admin_news()
             break;
 
         case 'save':
+            $text = $request->postData('eText');
+            if (!in_array('admin_news_html', $privileges)) {
+                $text = strip_tags($text);
+            }
+
             DB::update('
                 UPDATE `News` SET
                     `Datum`=?,
@@ -62,8 +67,8 @@ function admin_news()
                 ',
                 [
                     time(),
-                    $request->postData('eBetreff'),
-                    $request->postData('eText'),
+                    strip_tags($request->postData('eBetreff')),
+                    $text,
                     $user['UID'],
                     $request->has('eTreffen') ? 1 : 0,
                     $news_id
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index aea68f52..ca814b2e 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -272,7 +272,7 @@ function admin_user()
                       WHERE `UID` = ?
                       LIMIT 1';
                 DB::update($sql, [
-                    $request->postData('eNick'),
+                    User_validate_Nick($request->postData('eNick')),
                     $request->postData('eName'),
                     $request->postData('eVorname'),
                     $request->postData('eTelefon'),
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index 3966b55c..9c706cfc 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -233,7 +233,7 @@ function guest_register()
 
             // Assign user-group and set password
             $user_id = DB::getPdo()->lastInsertId();
-            DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]);
+            DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -20)', [$user_id]);
             set_password($user_id, $request->postData('password'));
 
             // Assign angel-types
diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php
index bdbb0645..0e38e619 100644
--- a/includes/pages/user_news.php
+++ b/includes/pages/user_news.php
@@ -155,7 +155,7 @@ function user_news_comments()
             $user_source = User($comment['UID']);
 
             $html .= '<div class="panel panel-default">';
-            $html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>';
+            $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>';
             $html .= '<div class="panel-footer text-muted">';
             $html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . '&emsp;';
             $html .= User_Nick_render($user_source);
@@ -191,14 +191,20 @@ function user_news()
         if (!$request->has('treffen')) {
             $isMeeting = 0;
         }
+
+        $text = $request->postData('text');
+        if (!in_array('admin_news_html', $privileges)) {
+            $text = strip_tags($text);
+        }
+
         DB::insert('
             INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
             VALUES (?, ?, ?, ?, ?)
             ',
             [
                 time(),
-                $request->postData('betreff'),
-                $request->postData('text'),
+                strip_tags($request->postData('betreff')),
+                $text,
                 $user['UID'],
                 $isMeeting,
             ]
diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index 856ed4ab..607d180b 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -31,7 +31,7 @@ function load_auth()
     }
 
     // guest privileges
-    $privileges = privileges_for_group(-1);
+    $privileges = privileges_for_group(-10);
 }
 
 /**
diff --git a/includes/sys_form.php b/includes/sys_form.php
index 78e97792..148af965 100644
--- a/includes/sys_form.php
+++ b/includes/sys_form.php
@@ -10,7 +10,7 @@
  */
 function form_hidden($name, $value)
 {
-    return '<input type="hidden" name="' . $name . '" value="' . $value . '" />';
+    return '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($value) . '" />';
 }
 
 /**
@@ -25,7 +25,7 @@ function form_spinner($name, $label, $value)
 {
     return form_element($label, '
       <div class="input-group">
-        <input id="spinner-' . $name . '" class="form-control" type="text" name="' . $name . '" value="' . $value . '" />
+        <input id="spinner-' . $name . '" class="form-control" name="' . $name . '" value="' . htmlspecialchars($value) . '" />
         <div class="input-group-btn">
           <button id="spinner-' . $name . '-down" class="btn btn-default" type="button">
             <span class="glyphicon glyphicon-minus"></span>
@@ -66,7 +66,8 @@ function form_date($name, $label, $value, $start_date = '', $end_date = '')
     $end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : '';
     return form_element($label, '
     <div class="input-group date" id="' . $dom_id . '">
-      <input type="text" name="' . $name . '" class="form-control" value="' . $value . '"><span class="input-group-addon">' . glyph('th') . '</span>
+      <input name="' . $name . '" class="form-control" value="' . htmlspecialchars($value) . '">'
+        . '<span class="input-group-addon">' . glyph('th') . '</span>
     </div>
     <script type="text/javascript">
 			$(function(){
@@ -154,7 +155,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
     }
 
     return '<div class="checkbox"><label>'
-        . '<input type="checkbox" id="' . $name . '" name="' . $name . '" value="' . $value . '" '
+        . '<input type="checkbox" id="' . $id . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
         . ($selected ? ' checked="checked"' : '') . ' /> '
         . $label
         . '</label></div>';
@@ -172,7 +173,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
 function form_radio($name, $label, $selected, $value)
 {
     return '<div class="radio">'
-        . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . $value . '" '
+        . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
         . ($selected ? ' checked="checked"' : '') . ' /> '
         . $label
         . '</label></div>';
@@ -333,8 +334,8 @@ function form_textarea($name, $label, $value, $disabled = false)
     $disabled = $disabled ? ' disabled="disabled"' : '';
     return form_element(
         $label,
-        '<textarea rows="5" class="form-control" id="form_' . $name . '" type="text" name="'
-        . $name . '" ' . $disabled . '>' . $value . '</textarea>',
+        '<textarea rows="5" class="form-control" id="form_' . $name . '" name="'
+        . $name . '" ' . $disabled . '>' . htmlspecialchars($value) . '</textarea>',
         'form_' . $name
     );
 }
-- 
cgit v1.2.3-54-g00ecf