From de90e704876744e7ee49dc2f4fd226ddc14067f3 Mon Sep 17 00:00:00 2001
From: Rodrigo de Oliveira <rodrigodeoliveira@hotmail.com.br>
Date: Thu, 11 Mar 2021 04:37:37 -0300
Subject: [PATCH] Sanitizes evil scripts for collections, metadatum and items

---
 .../repositories/class-tainacan-collections.php     |  2 +-
 .../repositories/class-tainacan-metadata.php        |  4 ----
 .../repositories/class-tainacan-repository.php      | 13 +++++++++++--
 tests/test-html-injection.php                       |  8 ++++----
 4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/classes/repositories/class-tainacan-collections.php b/src/classes/repositories/class-tainacan-collections.php
index 632ffb18e..780d3442e 100644
--- a/src/classes/repositories/class-tainacan-collections.php
+++ b/src/classes/repositories/class-tainacan-collections.php
@@ -304,7 +304,7 @@ class Collections extends Repository {
 	 */
 	public function insert( $collection ) {
 		$this->pre_process( $collection );		
-		$this->handle_parent_order_clone( $collection );		
+		$this->handle_parent_order_clone( $collection );
 
 		$new_collection = parent::insert( $collection );
 
diff --git a/src/classes/repositories/class-tainacan-metadata.php b/src/classes/repositories/class-tainacan-metadata.php
index 54f0577cb..d511a6cc1 100644
--- a/src/classes/repositories/class-tainacan-metadata.php
+++ b/src/classes/repositories/class-tainacan-metadata.php
@@ -304,7 +304,6 @@ class Metadata extends Repository {
 		}
 	}
 
-
 	/**
 	 * fetch metadatum based on ID or WP_Query args
 	 *
@@ -676,7 +675,6 @@ class Metadata extends Repository {
 		);
 	}
 
-
 	/**
 	 * That function update the core metadatum meta key, in case of changing the collection parent
 	 *
@@ -1001,7 +999,6 @@ class Metadata extends Repository {
 		return false;
 	}
 
-
 	/**
 	 * create a metadatum entity and insert by an associative array ( attribute => value )
 	 *
@@ -1026,7 +1023,6 @@ class Metadata extends Repository {
 		}
 	}
 
-
 	/**
 	  * Return all possible values for a metadatum
 	  *
diff --git a/src/classes/repositories/class-tainacan-repository.php b/src/classes/repositories/class-tainacan-repository.php
index 799cb55ad..7e6bbb697 100644
--- a/src/classes/repositories/class-tainacan-repository.php
+++ b/src/classes/repositories/class-tainacan-repository.php
@@ -136,7 +136,6 @@ abstract class Repository {
 			do_action( "tainacan-pre-insert-$obj_post_type", $obj );
 
 		$map = $this->get_map();
-
 		// First iterate through native post properties
 		foreach ( $map as $prop => $mapped ) {
 			if ( $mapped['map'] != 'meta' && $mapped['map'] != 'meta_multi' ) {
@@ -153,6 +152,9 @@ abstract class Repository {
 		}
 
 		if ( $obj instanceof Entities\Item ) {
+            $sanitized_title = $this->sanitize_value($obj->get('title'));
+            $sanitized_desc = $this->sanitize_value($obj->get('description'));
+
 			// get collection to determine post type
 			$collection = $obj->get_collection();
 
@@ -162,10 +164,17 @@ abstract class Repository {
 
 			$post_t                  = $collection->get_db_identifier();
 			$obj->WP_Post->post_type = $post_t;
+            $obj->WP_Post->post_title = $sanitized_title;
+            $obj->WP_Post->post_content = $sanitized_desc;
 			$obj_post_type = 'tainacan-item';
 			do_action( "tainacan-pre-insert-$obj_post_type", $obj );
 		}
 
+		if ($obj instanceof Entities\Collection || $obj instanceof Entities\Metadatum) {
+            $sanitized = $this->sanitize_value($obj->get('name'));
+            $obj->WP_Post->post_title = $sanitized;
+        }
+
 		$id = wp_insert_post( $obj->WP_Post );
 		if ($id instanceof \WP_Error || 0 === $id) {
 		    return false;
@@ -916,7 +925,7 @@ abstract class Repository {
 		$allowed_html = wp_kses_allowed_html('post');		
 		unset($allowed_html["a"]);
 		
-		return wp_kses(trim($content), $allowed_html);
+		return trim(wp_kses($content, $allowed_html));
 	}
 
 }
diff --git a/tests/test-html-injection.php b/tests/test-html-injection.php
index d1fa932cd..c158f6d5b 100644
--- a/tests/test-html-injection.php
+++ b/tests/test-html-injection.php
@@ -40,7 +40,7 @@ class HTML_Injection extends TAINACAN_UnitTestCase
 			true
 		);
 		$collection = $Tainacan_Collections->fetch($collection->get_id());
-		// $this->assertEquals($collection->get_name(), 'collection name link link2');
+		$this->assertEquals($collection->get_name(), 'collection name link  link2');
 		
 		$metadatum = $this->tainacan_entity_factory->create_entity(
 			'metadatum',
@@ -53,7 +53,7 @@ class HTML_Injection extends TAINACAN_UnitTestCase
 			true
 		);
 		$metadatum = $Tainacan_Metadata->fetch($metadatum->get_id());
-		// $this->assertEquals($metadatum->get_name(), 'metadatum name link');
+		$this->assertEquals($metadatum->get_name(), 'metadatum name link');
 
 		$item = $this->tainacan_entity_factory->create_entity(
 			'item',
@@ -65,8 +65,8 @@ class HTML_Injection extends TAINACAN_UnitTestCase
 			true
 		);
 		$item = $Tainacan_Items->fetch($item->get_id());
-		// $this->assertEquals($item->get_title(), 'title item console.log("XSS")');
-		// $this->assertEquals($item->get_description(), 'description item');
+		$this->assertEquals($item->get_title(), 'title item console.log("XSS")');
+		$this->assertEquals($item->get_description(), 'description item');
 
 		// Test metadata
 		$item_metadata = new \Tainacan\Entities\Item_Metadata_Entity($item, $metadatum);