improv. add auto excluded request to prevent issue

MineWeb · Dec 6, 2021 · f20c9ad · f20c9ad
1 parent 4fbd34c
commit f20c9ad
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php
@@ -48,7 +48,7 @@ public function beforeFilter()
     {
         // find any xss vulnability on request data
         $datas = $this->request->data;
-        $this->request->data = $this->xssProtection($datas);
+        $this->request->data = $this->xssProtection($datas, ['command', 'order', 'broadcast']);
         $this->request->data["xss"] = $datas;
         // lowercase to avoid errors when the controller is called with uppercase
         $this->params['controller'] = strtolower($this->params['controller']);
@@ -113,10 +113,13 @@ public function beforeFilter()
 
     }
 
-    public function xssProtection($array)
+    public function xssProtection($array, $excluded = [])
     {
         foreach ($array as $key => $value) {
-            $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value);
+            if (strlen(str_replace($excluded, '', $key)) !== strlen($key))
+                $array[$key] = $value;
+            else
+                $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value);
         }
         return $array;