From 9d0db982413df5aa29f7d505be43600315feb350 Mon Sep 17 00:00:00 2001 From: Zack Spear Date: Fri, 9 May 2025 13:23:03 -0700 Subject: [PATCH] feat: implement safe title processing in MainContent, MainContentTabbed, and MainContentTabless - Introduced a new function `processTitle` to safely handle page titles by replacing PHP variables with their values without using eval. - Updated title handling in MainContent, MainContentTabbed, and MainContentTabless to utilize the new `processTitle` function, enhancing security and maintainability. --- .../include/DefaultPageLayout/MainContent.php | 25 +++++++++++++++++-- .../DefaultPageLayout/MainContentTabbed.php | 6 ++--- .../DefaultPageLayout/MainContentTabless.php | 5 +--- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContent.php b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContent.php index 6b57fb4b9..d5f929e1c 100644 --- a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContent.php +++ b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContent.php @@ -13,6 +13,27 @@ $tabbed = $display['tabs'] == 0 && count($pages) > 1; $contentInclude = $tabbed ? 'MainContentTabbed.php' : 'MainContentTabless.php'; $defaultIcon = ""; + +/** + * Safely processes page titles by replacing PHP variables with their values + * + * @param string $rawTitle The unprocessed title that may contain variable references + * @return string Processed title with variables substituted + */ +function processTitle($rawTitle) { + // Safely replace any variables in the title without eval + $title = htmlspecialchars((string)$rawTitle); + return preg_replace_callback( + '/\$([a-zA-Z_\x80-\xff][a-zA-Z0-9_\x80-\xff]*)/', + function($matches) { + return isset($GLOBALS[$matches[1]]) ? + htmlspecialchars((string)$GLOBALS[$matches[1]]) : + '$'.$matches[1]; + }, + $title + ); +} + function process_icon($icon, $docroot, $root) { global $defaultIcon; if (substr($icon, -4) == '.png') { @@ -44,8 +65,8 @@ function process_icon($icon, $docroot, $root) { * @return string HTML for the Panel element */ function generatePanel($pg, $path, $defaultIcon, $docroot, $useTabCookie = false) { - $panelTitle = ''; // to appease the linter because eval is used below - eval("\$panelTitle=\"".htmlspecialchars((string)$pg['Title'])."\";"); // ensures variables in any .page title are used + // Process title using our safe variable substitution function + $panelTitle = processTitle($pg['Title']); $icon = _var($pg, 'Icon', $defaultIcon); $icon = process_icon($icon, $docroot, $pg['root']); diff --git a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php index 82317b331..b639e55bc 100644 --- a/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php +++ b/emhttp/plugins/dynamix/include/DefaultPageLayout/MainContentTabbed.php @@ -10,10 +10,7 @@ - +