SW-17487 - Improve Form Input Filtering

bcremer · bcremer · commit 6113d30a90e6 · 2017-01-24T16:21:42.000+01:00
This issue has been identified by Markus Seegmüller on behalf of Internetmenschen UG (https://www.internetmenschen.de).
diff --git a/engine/Shopware/Controllers/Frontend/Forms.php b/engine/Shopware/Controllers/Frontend/Forms.php
@@ -498,9 +498,11 @@ protected function _createInputElement($element, $post = null)
      */
     protected function _filterInput($input)
     {
-        $pattern = '#{\s*/literal\s*}#i';
+        // remove all control characters, unassigned, private use, formatting and surrogate code points
+        $input = preg_replace('#[^\PC\s]#u', '', $input);
 
-        if (preg_match($pattern, $input) > 0) {
+        $temp = str_replace('"', '', $input);
+        if (preg_match('#{\s*/*literal\s*}#i', $temp) > 0) {
             return '';
         }
 

Original file line number	Diff line number	Diff line change
`@@ -498,9 +498,11 @@ protected function _createInputElement($element, $post = null)`
`498`	`498`	`*/`
`499`	`499`	`protected function _filterInput($input)`
`500`	`500`	`{`
`501`		`- $pattern = '#{\s/literal\s}#i';`
	`501`	`+ // remove all control characters, unassigned, private use, formatting and surrogate code points`
	`502`	`+ $input = preg_replace('#[^\PC\s]#u', '', $input);`
`502`	`503`
`503`		`- if (preg_match($pattern, $input) > 0) {`
	`504`	`+ $temp = str_replace('"', '', $input);`
	`505`	`+ if (preg_match('#{\s/literal\s*}#i', $temp) > 0) {`
`504`	`506`	`return '';`
`505`	`507`	`}`
`506`	`508`