From d2936bd90caa2b256d32e7d349449ed58b28107b Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Tue, 19 Jun 2012 17:20:19 +0200
Subject: [PATCH] introducing a sanitize HTML function for the internal and the
 public API. This allows to easily convert strings to HTML before displaying
 them on the web page to reduce the risk of xss vulnerabilities.

---
 lib/public/util.php | 12 ++++++++++++
 lib/util.php        | 17 ++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/lib/public/util.php b/lib/public/util.php
index d79d3f26b1..7c0cb66607 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -264,6 +264,18 @@ class Util {
 	public static function callCheck(){
 		return(\OC_Util::callCheck());
 	}
+	
+	/**
+	 * @brief Used to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 *
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( $value ){
+		return(\OC_Util::sanitizeHTML($value)); //Specify encoding for PHP<5.4
+	}
 }
 
 ?>
diff --git a/lib/util.php b/lib/util.php
index 0266a8ecc5..bcfeb417c1 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -370,7 +370,7 @@ class OC_Util {
 		$_SESSION['requesttoken-'.$token]=time();
 
 		// cleanup old tokens garbage collector
-		// only run every 20th time so we don�t waste cpu cycles
+		// only run every 20th time so we don't waste cpu cycles
 		if(rand(0,20)==0) {  
 			foreach($_SESSION as $key=>$value) {
 				// search all tokens in the session
@@ -426,4 +426,19 @@ class OC_Util {
 			exit;
 		}
 	}
+	
+	/**
+	 * @brief Public function to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 * 
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( &$value ){
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+		return $value;
+	}
+
 }
-- 
GitLab