diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f75cae..08ce397 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Change log +### 1.7.9 + +* Updated: setCookie() function in HttpResponse.php to allow for the SameSite attribute to be set with new php + setcookie() options array method signature. + +### 1.7.8 + +* Updated: Requests containing URL parameters are now sanitised to prevent XSS attacks + ### 1.7.7 * Fixed: More deprecated required parameter follows optional parameter warnings diff --git a/src/Http/HttpResponse.php b/src/Http/HttpResponse.php index 34a164c..10ee19b 100644 --- a/src/Http/HttpResponse.php +++ b/src/Http/HttpResponse.php @@ -63,8 +63,9 @@ public function getResponseBody() * @param string $domain Domain the cookie should be available to - defaults to current subdomain. Set to ".domain.com" to make available to all subdomains. * @param bool $secure Indicates that the cookie should only be transmitted via HTTPS - defaults to false * @param bool $httpOnly Indicates that the cookie should only be transmitted via the HTTP Protocol - defaults to false + * @param string $sameSite Indicates the SameSite attribute of the cookie. Can be "Strict", "Lax" or "None" - defaults to "Lax". */ - public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, $path = "/", $domain = null, $secure = false, $httpOnly = false) + public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, $path = "/", $domain = null, $secure = false, $httpOnly = false, $sameSite = "Lax") { if ($expirySecondsFromNow != null){ $expirySecondsFromNow = time() + $expirySecondsFromNow; @@ -73,7 +74,14 @@ public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, } if (!Application::current()->unitTesting) { - setcookie($name, $value, $expirySecondsFromNow, $path, $domain, $secure, $httpOnly); + setcookie($name, $value, [ + 'expires' => $expirySecondsFromNow, + 'path' => $path, + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httpOnly, + 'samesite' => $sameSite + ]); } $request = Request::current(); @@ -86,10 +94,11 @@ public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, * @param string $domain Domain the cookie should be available to - defaults to current subdomain. Set to ".domain.com" to make available to all subdomains. * @param bool $secure Indicates that the cookie should only be transmitted via HTTPS - defaults to false * @param bool $httpOnly Indicates that the cookie should only be transmitted via the HTTP Protocol - defaults to false + * @param string $sameSite Indicates the SameSite attribute of the cookie. Can be "Strict", "Lax" or "None" - defaults to "Lax". */ - public static function unsetCookie($name, $path = "/", $domain = null, $secure = false, $httpOnly = false) + public static function unsetCookie($name, $path = "/", $domain = null, $secure = false, $httpOnly = false, $sameSite = "Lax") { - self::setCookie($name, null, -1000, $path, $domain, $secure, $httpOnly); + self::setCookie($name, null, -1000, $path, $domain, $secure, $httpOnly, $sameSite); } /** diff --git a/src/UrlHandlers/UrlHandler.php b/src/UrlHandlers/UrlHandler.php index dda400a..839a566 100644 --- a/src/UrlHandlers/UrlHandler.php +++ b/src/UrlHandlers/UrlHandler.php @@ -266,6 +266,11 @@ protected function getAbsoluteHandledUrl() return $request->server("REQUEST_SCHEME") . "://" . $request->server("SERVER_NAME") . $this->handledUrl; } + private function sanitizeRequest($request) { + $request->uri = htmlspecialchars($request->uri); + return $request; + } + /** * Return the response when appropriate or false if no response could be generated. * @@ -277,6 +282,10 @@ protected function getAbsoluteHandledUrl() */ public function generateResponse($request = null, $currentUrlFragment = false) { + if ($request !== null) { + $request = $this->sanitizeRequest($request); + } + if ($currentUrlFragment === false) { $currentUrlFragment = $request->urlPath; }