From 1dbc3e6c8fbf5d2dc551cb27fad0de3584dee40f Mon Sep 17 00:00:00 2001
From: fuzegit <fuze@instantcms.ru>
Date: Sat, 5 Aug 2023 15:30:12 +0300
Subject: [PATCH] Vulnerabilities fixed, thanks to huntr.dev

---
 system/controllers/admin/actions/menu_tree_ajax.php  | 2 +-
 system/controllers/tags/actions/autocomplete.php     | 4 ++--
 system/core/user.php                                 | 6 ++++--
 system/fields/string.php                             | 9 +++++++++
 system/libs/template.helper.php                      | 2 +-
 templates/admincoreui/assets/ui/form.tpl.php         | 2 +-
 templates/admincoreui/assets/ui/grid-perms.tpl.php   | 2 +-
 templates/admincoreui/controllers/admin/menu.tpl.php | 2 +-
 templates/default/assets/ui/confirm.tpl.php          | 2 +-
 templates/default/assets/ui/filter-panel.tpl.php     | 2 +-
 templates/default/assets/ui/form.tpl.php             | 2 +-
 templates/default/assets/ui/grid-perms.tpl.php       | 2 +-
 templates/modern/assets/ui/filter-panel.tpl.php      | 2 +-
 templates/modern/assets/ui/form.tpl.php              | 2 +-
 14 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/system/controllers/admin/actions/menu_tree_ajax.php b/system/controllers/admin/actions/menu_tree_ajax.php
index 2654c5365..122007fa9 100755
--- a/system/controllers/admin/actions/menu_tree_ajax.php
+++ b/system/controllers/admin/actions/menu_tree_ajax.php
@@ -25,7 +25,7 @@ public function run() {
         if ($items) {
             foreach ($items as $item) {
                 $tree_nodes[] = [
-                    'title'  => $item['title'],
+                    'title'  => html($item['title'], false),
                     'key'    => "{$menu_id}.{$item['id']}",
                     'isLazy' => ($item['childs_count'] > 0)
                 ];
diff --git a/system/controllers/tags/actions/autocomplete.php b/system/controllers/tags/actions/autocomplete.php
index 05a394a9d..500c0923b 100755
--- a/system/controllers/tags/actions/autocomplete.php
+++ b/system/controllers/tags/actions/autocomplete.php
@@ -12,13 +12,13 @@ public function run() {
 
         $result = [];
 
-        $term = $this->request->get('term', '');
+        $term = strip_tags($this->request->get('term', ''));
         if (!$term) {
             return $this->cms_template->renderJSON($result);
         }
 
         $tags = $this->model->filterLike('tag', "%{$term}%")->
-                select("(LEFT(`tag`, " . mb_strlen($term) . ") = '{$term}')", 'tag_order')->
+                select("(LEFT(`tag`, " . mb_strlen($term) . ") = '".$this->model->db->escape($term)."')", 'tag_order')->
                 orderByList([
                     ['by' => 'tag_order', 'to' => 'desc', 'strict' => true],
                     ['by' => 'tag', 'to' => 'asc']
diff --git a/system/core/user.php b/system/core/user.php
index 7ea671a00..408665f4d 100755
--- a/system/core/user.php
+++ b/system/core/user.php
@@ -277,13 +277,15 @@ public static function autoLogin($auth_token) {
      * @param boolean $complete_login
      * @return integer|array
      */
-    public static function login($email, $password, $remember = false, $complete_login = true) {
+    public static function login($email, $password, $remember = false, $complete_login = true, $model = null) {
 
         if (!$email || !$password) {
             return 0;
         }
 
-        $model = cmsCore::getModel('users');
+        if($model === null) {
+            $model = cmsCore::getModel('users');
+        }
 
         $user = $model->getUserByAuth($email, $password);
 
diff --git a/system/fields/string.php b/system/fields/string.php
index ae897dd38..4a1d2f214 100755
--- a/system/fields/string.php
+++ b/system/fields/string.php
@@ -140,6 +140,15 @@ public function store($value, $is_submitted, $old_value = null) {
         }
 
         if ($this->getProperty('is_clean_disable') === true) {
+
+            // Разрешены HTML теги, - прогоняем через типограф
+            $value = cmsEventsManager::hook('html_filter', [
+                'text'                => $value,
+                'is_auto_br'          => false,
+                'build_smiles'        => false,
+                'build_redirect_link' => false
+            ]);
+
             return trim($value, " \0");
         }
 
diff --git a/system/libs/template.helper.php b/system/libs/template.helper.php
index 2ee85c096..61851ebe9 100755
--- a/system/libs/template.helper.php
+++ b/system/libs/template.helper.php
@@ -63,7 +63,7 @@ function html_pagebar($page, $perpage, $total, $base_uri = false, $query = [], $
  */
 function html_input($type = 'text', $name = '', $value = '', $attributes = []) {
 
-    if ($type === 'password') {
+    if ($type === 'password' && empty($attributes['autocomplete'])) {
         $attributes['autocomplete'] = 'off';
     }
     $attributes['type']  = $type;
diff --git a/templates/admincoreui/assets/ui/form.tpl.php b/templates/admincoreui/assets/ui/form.tpl.php
index 2819175de..870f8d063 100755
--- a/templates/admincoreui/assets/ui/form.tpl.php
+++ b/templates/admincoreui/assets/ui/form.tpl.php
@@ -4,7 +4,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       class="<?php html($attributes['form_class']); ?><?php if ($this->controller->request->isAjax()){ ?> ajax-form<?php } ?>"
       enctype="multipart/form-data"
diff --git a/templates/admincoreui/assets/ui/grid-perms.tpl.php b/templates/admincoreui/assets/ui/grid-perms.tpl.php
index 9562d1f6f..e9632e6a4 100755
--- a/templates/admincoreui/assets/ui/grid-perms.tpl.php
+++ b/templates/admincoreui/assets/ui/grid-perms.tpl.php
@@ -2,7 +2,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form action="<?php echo $submit_url; ?>" method="post">
+<form action="<?php html($submit_url); ?>" method="post">
 
     <div class="datagrid_wrapper perms_grid table-responsive dataTables_wrapper dt-bootstrap4">
         <table id="datagrid" class="datagrid table table-striped table-bordered dataTable bg-white">
diff --git a/templates/admincoreui/controllers/admin/menu.tpl.php b/templates/admincoreui/controllers/admin/menu.tpl.php
index 210930479..4f9c62f7e 100755
--- a/templates/admincoreui/controllers/admin/menu.tpl.php
+++ b/templates/admincoreui/controllers/admin/menu.tpl.php
@@ -28,7 +28,7 @@
             <ul id="treeData" class="skeleton-tree">
                 <?php foreach ($menus as $id => $menu) { ?>
                     <li id="<?php echo $menu['id'];?>.0" class="lazy folder">
-                        <?php echo $menu['title']; ?>
+                        <?php html($menu['title']); ?>
                     </li>
                 <?php } ?>
             </ul>
diff --git a/templates/default/assets/ui/confirm.tpl.php b/templates/default/assets/ui/confirm.tpl.php
index d30885a18..1880ef7f1 100755
--- a/templates/default/assets/ui/confirm.tpl.php
+++ b/templates/default/assets/ui/confirm.tpl.php
@@ -1,6 +1,6 @@
 <div class="modal_padding">
     <h3><?php echo $confirm_title; ?></h3>
-    <form action="<?php echo $confirm_action; ?>" method="post" onsubmit="$(this).find('.button-submit').addClass('disabled is-busy');">
+    <form action="<?php html($confirm_action); ?>" method="post" onsubmit="$(this).find('.button-submit').addClass('disabled is-busy');">
         <?php echo html_csrf_token(); ?>
         <?php echo html_input('hidden', 'back', $this->controller->request->get('back', '')); ?>
         <?php echo html_submit(LANG_CONFIRM); ?>
diff --git a/templates/default/assets/ui/filter-panel.tpl.php b/templates/default/assets/ui/filter-panel.tpl.php
index 026007cf2..9023dd3c6 100755
--- a/templates/default/assets/ui/filter-panel.tpl.php
+++ b/templates/default/assets/ui/filter-panel.tpl.php
@@ -10,7 +10,7 @@
 		<div class="filter-close">
             <a href="javascript:toggleFilter();"><span><?php echo LANG_CLOSE; ?></span></a>
         </div>
-        <form action="<?php echo $form_url; ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
+        <form action="<?php html($form_url); ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
             <?php echo html_input('hidden', 'page', 1); ?>
             <?php if(!empty($ext_hidden_params)){ ?>
                 <?php foreach($ext_hidden_params as $fname => $fvalue){ ?>
diff --git a/templates/default/assets/ui/form.tpl.php b/templates/default/assets/ui/form.tpl.php
index 862fe462e..a56348c6c 100755
--- a/templates/default/assets/ui/form.tpl.php
+++ b/templates/default/assets/ui/form.tpl.php
@@ -5,7 +5,7 @@
     </div>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       <?php if ($this->controller->request->isAjax()){ ?>
         class="modal"
diff --git a/templates/default/assets/ui/grid-perms.tpl.php b/templates/default/assets/ui/grid-perms.tpl.php
index 06a27e09f..2da308534 100755
--- a/templates/default/assets/ui/grid-perms.tpl.php
+++ b/templates/default/assets/ui/grid-perms.tpl.php
@@ -5,7 +5,7 @@
 <?php } ?>
 
 
-<form action="<?php echo $submit_url; ?>" method="post">
+<form action="<?php html($submit_url); ?>" method="post">
 
     <div class="datagrid_wrapper perms_grid">
         <table id="datagrid" class="datagrid" cellpadding="0" cellspacing="0" border="0">
diff --git a/templates/modern/assets/ui/filter-panel.tpl.php b/templates/modern/assets/ui/filter-panel.tpl.php
index 326a852dd..ec2948270 100755
--- a/templates/modern/assets/ui/filter-panel.tpl.php
+++ b/templates/modern/assets/ui/filter-panel.tpl.php
@@ -16,7 +16,7 @@
         <button type="button" class="close position-absolute icms-filter-link__close" title="<?php echo LANG_CLOSE; ?>">
             <span>&times;</span>
         </button>
-        <form action="<?php echo $form_url; ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
+        <form action="<?php html($form_url); ?>" method="get" id="<?php html($form_id); ?>" accept-charset="utf-8">
             <?php echo html_input('hidden', 'page', 1); ?>
             <?php if(!empty($ext_hidden_params)){ ?>
                 <?php foreach($ext_hidden_params as $fname => $fvalue){ ?>
diff --git a/templates/modern/assets/ui/form.tpl.php b/templates/modern/assets/ui/form.tpl.php
index 04f405245..b2868822d 100755
--- a/templates/modern/assets/ui/form.tpl.php
+++ b/templates/modern/assets/ui/form.tpl.php
@@ -3,7 +3,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       class="<?php html($attributes['form_class']); ?><?php if ($this->controller->request->isAjax()){ ?> ajax-form<?php } ?>"
       enctype="multipart/form-data"