diff --git a/modules/KalturaSupport/RequestHelper.php b/modules/KalturaSupport/RequestHelper.php index cdda7fdea9..fcf4d787ce 100644 --- a/modules/KalturaSupport/RequestHelper.php +++ b/modules/KalturaSupport/RequestHelper.php @@ -7,6 +7,8 @@ class RequestHelper { var $debug = false; var $utility = null; + var $EXCLUDE_ESCAPED_ATTRIBUTES = array('flashvars'); + /** * Variables set by the Frame request: */ @@ -20,7 +22,7 @@ class RequestHelper { 'flashvars' => null, 'playlist_id' => null, 'urid' => null, - // Custom service url properties ( only used when wgKalturaAllowIframeRemoteService is set to true ) + // Custom service url properties ( only used when wgKalturaAllowIframeRemoteService is set to true ) 'ServiceUrl'=> null, 'ServiceBase'=>null, 'CdnUrl'=> null, @@ -58,20 +60,24 @@ private function parseRequest(){ foreach( $urlParts as $inx => $urlPart ){ foreach( $this->urlParameters as $attributeKey => $na){ if( $urlPart == $attributeKey && isset( $urlParts[$inx+1] ) ){ - $_REQUEST[ $attributeKey ] = $urlParts[$inx+1]; + $data = $urlParts[$inx+1]; + if (!in_array($attributeKey, $this->EXCLUDE_ESCAPED_ATTRIBUTES)) { + $data = htmlspecialchars( $urlParts[$inx+1], ENT_QUOTES ); + } + $_REQUEST[ $attributeKey ] = $data; } } } } - // TODO refactor this parameter sanitation + // TODO refactor this parameter sanitation foreach( $this->urlParameters as $attributeKey => $na){ if( isset( $_REQUEST[ $attributeKey ] ) ){ // set the url parameter and don't let any html in: $this->urlParameters[ $attributeKey ] = $_REQUEST[ $attributeKey ]; } } - + // support CORS for IE9 and lower global $HTTP_RAW_POST_DATA; if ( !isset( $HTTP_RAW_POST_DATA ) ) @@ -79,7 +85,7 @@ private function parseRequest(){ $HTTP_RAW_POST_DATA = file_get_contents( 'php://input' ); $HTTP_RAW_POST_DATA = $HTTP_RAW_POST_DATA ? $HTTP_RAW_POST_DATA : array(); } - + if ( count($_POST) == 0 && count( $HTTP_RAW_POST_DATA) > 0 ){ parse_str($HTTP_RAW_POST_DATA, ( html_entity_decode( @@ -94,7 +100,7 @@ private function parseRequest(){ } } - // string to boolean + // string to boolean foreach( $this->urlParameters as $k=>$v){ if( $v == 'false'){ $this->urlParameters[$k] = false; @@ -103,15 +109,15 @@ private function parseRequest(){ $this->urlParameters[$k] = true; } } - + if( isset( $this->urlParameters['p'] ) && !isset( $this->urlParameters['wid'] ) ){ - $this->urlParameters['wid'] = '_' . $this->urlParameters['p']; + $this->urlParameters['wid'] = '_' . $this->urlParameters['p']; } if( isset( $this->urlParameters['partner_id'] ) && !isset( $this->urlParameters['wid'] ) ){ - $this->urlParameters['wid'] = '_' . $this->urlParameters['partner_id']; - } - + $this->urlParameters['wid'] = '_' . $this->urlParameters['partner_id']; + } + // Check for debug flag if( isset( $_REQUEST['debug'] ) ){ $this->debug = true; @@ -146,18 +152,18 @@ function set( $key = null, $val = null ) { function getServiceConfig( $name ){ global $wgKalturaAllowIframeRemoteService; - - // Check if we allow URL override: + + // Check if we allow URL override: if(( $wgKalturaAllowIframeRemoteService == true ) || $this->isEmbedServicesEnabled()){ // Check for urlParameters if( $this->get( $name ) ){ return $this->get( $name ); } } - - // Else use the global config: + + // Else use the global config: switch( $name ){ - case 'ServiceUrl' : + case 'ServiceUrl' : global $wgKalturaServiceUrl; return $wgKalturaServiceUrl; break; @@ -271,8 +277,8 @@ public function getRemoteAddrHeader(){ return ''; } $ip = null; - // Check for x-forward-for and x-real-ip headers - $requestHeaders = getallheaders(); + // Check for x-forward-for and x-real-ip headers + $requestHeaders = getallheaders(); if( isset( $requestHeaders['X-Forwarded-For'] ) ){ $ip = $this->getRealIP( $requestHeaders['X-Forwarded-For'] ); } @@ -343,7 +349,7 @@ private function setKSIfExists() { $this->ks = $ks; } } - + public function hasKS() { global $wgForceCache; return $wgForceCache ? false : isset($this->ks); @@ -352,4 +358,4 @@ public function hasKS() { public function getKS() { return $this->ks; } -} \ No newline at end of file +}