Security Update: Allow samesite attribute to be set on cookies

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change log
 
+### 1.7.9
+
+* Updated: setCookie() function in HttpResponse.php to allow for the SameSite attribute to be set with new php 
+           setcookie() options array method signature. 
+
+### 1.7.8
+
+* Updated: Requests containing URL parameters are now sanitised to prevent XSS attacks
+
 ### 1.7.7
 * Fixed: More deprecated required parameter follows optional parameter warnings
 

src/Http/HttpResponse.php

@@ -63,8 +63,9 @@ public function getResponseBody()
      * @param string $domain Domain the cookie should be available to - defaults to current subdomain. Set to ".domain.com" to make available to all subdomains.
      * @param bool $secure Indicates that the cookie should only be transmitted via HTTPS - defaults to false
      * @param bool $httpOnly Indicates that the cookie should only be transmitted via the HTTP Protocol - defaults to false
+     * @param string $sameSite Indicates the SameSite attribute of the cookie. Can be "Strict", "Lax" or "None" - defaults to "Lax".
      */
-    public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, $path = "/", $domain = null, $secure = false, $httpOnly = false)
+    public static function setCookie($name, $value, $expirySecondsFromNow = 1209600, $path = "/", $domain = null, $secure = false, $httpOnly = false, $sameSite = "Lax")
     {
         if ($expirySecondsFromNow != null){
             $expirySecondsFromNow = time() + $expirySecondsFromNow;
@@ -73,7 +74,14 @@ public static function setCookie($name, $value, $expirySecondsFromNow = 1209600,
         }
 
         if (!Application::current()->unitTesting) {
-            setcookie($name, $value, $expirySecondsFromNow, $path, $domain, $secure, $httpOnly);
+            setcookie($name, $value, [
+                'expires' => $expirySecondsFromNow,
+                'path' => $path,
+                'domain' => $domain,
+                'secure' => $secure,
+                'httponly' => $httpOnly,
+                'samesite' => $sameSite
+            ]);
         }
 
         $request = Request::current();
@@ -86,10 +94,11 @@ public static function setCookie($name, $value, $expirySecondsFromNow = 1209600,
      * @param string $domain Domain the cookie should be available to - defaults to current subdomain. Set to ".domain.com" to make available to all subdomains.
      * @param bool $secure Indicates that the cookie should only be transmitted via HTTPS - defaults to false
      * @param bool $httpOnly Indicates that the cookie should only be transmitted via the HTTP Protocol - defaults to false
+     * @param string $sameSite Indicates the SameSite attribute of the cookie. Can be "Strict", "Lax" or "None" - defaults to "Lax".
      */
-    public static function unsetCookie($name, $path = "/", $domain = null, $secure = false, $httpOnly = false)
+    public static function unsetCookie($name, $path = "/", $domain = null, $secure = false, $httpOnly = false, $sameSite = "Lax")
     {
-        self::setCookie($name, null, -1000, $path, $domain, $secure, $httpOnly);
+        self::setCookie($name, null, -1000, $path, $domain, $secure, $httpOnly, $sameSite);
     }
 
     /**

src/UrlHandlers/UrlHandler.php

@@ -266,6 +266,11 @@ protected function getAbsoluteHandledUrl()
         return $request->server("REQUEST_SCHEME") . "://" . $request->server("SERVER_NAME") . $this->handledUrl;
     }
 
+    private function sanitizeRequest($request) {
+        $request->uri = htmlspecialchars($request->uri);
+        return $request;
+    }
+
     /**
      * Return the response when appropriate or false if no response could be generated.
      *
@@ -277,6 +282,10 @@ protected function getAbsoluteHandledUrl()
      */
     public function generateResponse($request = null, $currentUrlFragment = false)
     {
+        if ($request !== null) {
+            $request = $this->sanitizeRequest($request);
+        }
+
         if ($currentUrlFragment === false) {
             $currentUrlFragment = $request->urlPath;
         }