Security fixes: CSV injection, policy body output, invite hashing, slot datetimes
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
CI / No Debug Code (pull_request) Successful in 3s
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
CI / Coding Standards (pull_request) Successful in 1m11s
CI / PHPStan (pull_request) Successful in 1m20s
CI / Build Plugin Zip (pull_request) Has been skipped
Four fixes from a security review pass: - Neutralise CSV formula injection in the payments export: fields with a leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are apostrophe-prefixed in PaymentReport::csvLine() so they open as text in Excel/Google Sheets. Fixes #39. - Sanitise policy bodies with wp_kses_post at output in PolicyEndpoint::index() (the booking JS renders that HTML raw), so a future write path that forgets kses can never become stored XSS. Fixes #40. - Store invite tokens hashed (SHA-256) at rest: a database leak can no longer redeem pending invites. The registration link is shown once, at creation; the pending list shows email/invited date; lookups hash the submitted token. Existing plaintext pending invites must be re-issued. Fixes #41. - Validate availability slot datetimes on both creation paths (REST and admin form) via AvailabilitySlot::normalizeDateTime(): canonical and datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start are rejected (REST 400) instead of reaching the DATETIME column or throwing inside the weekly-series date arithmetic. Fixes #42. composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -90,13 +90,22 @@ class PaymentReport {
|
||||
}
|
||||
|
||||
/**
|
||||
* Format one CSV record, quoting fields and escaping embedded quotes.
|
||||
* Format one CSV record, quoting fields and escaping embedded quotes. Fields
|
||||
* that a spreadsheet would interpret as a formula (leading =, +, -, @, tab, or
|
||||
* CR — e.g. a hostile student display name) are prefixed with an apostrophe so
|
||||
* they open as text, never as executable formulas.
|
||||
*
|
||||
* @param list<string> $fields
|
||||
*/
|
||||
private function csvLine( array $fields ): string {
|
||||
$escaped = array_map(
|
||||
static fn( string $field ): string => '"' . str_replace( '"', '""', $field ) . '"',
|
||||
static function ( string $field ): string {
|
||||
if ( 1 === preg_match( '/^[=+\-@\t\r]/', $field ) ) {
|
||||
$field = "'" . $field;
|
||||
}
|
||||
|
||||
return '"' . str_replace( '"', '""', $field ) . '"';
|
||||
},
|
||||
$fields
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user