Fix stored XSS in Group name (CVE-2024-25891-98) (#7675)

Author: DawoudIO

src/CartToGroup.php

@@ -57,7 +57,7 @@
               // Create the group select drop-down
                 echo '<select id="GroupID" name="GroupID" onChange="UpdateRoles();"><option value="0">' . gettext('None') . '</option>';
                 foreach ($ormGroups as $ormGroup) {
-                    echo '<option value="' . $ormGroup->getID() . '">' . $ormGroup->getName() . '</option>';
+                    echo '<option value="' . $ormGroup->getID() . '">' . htmlspecialchars($ormGroup->getName(), ENT_QUOTES, 'UTF-8') . '</option>';
                 }
                 echo '</select>'; ?>
             </td>

src/GroupView.php

@@ -44,7 +44,7 @@
 $rsPropList = RunQuery($sSQL);
 $numRows = mysqli_num_rows($rsPropList);
 
-$sPageTitle = gettext('Group View') . ' : ' . $thisGroup->getName();
+$sPageTitle = gettext('Group View') . ' : ' . htmlspecialchars($thisGroup->getName(), ENT_QUOTES, 'UTF-8');
 
 require_once 'Include/Header.php';
 
@@ -119,7 +119,7 @@
 
 <div class="card card-info card-outline">
     <div class="card-header">
-        <h3 class="card-title"><i class="fa-solid fa-info-circle"></i> <?= $thisGroup->getName() ?></h3>
+        <h3 class="card-title"><i class="fa-solid fa-info-circle"></i> <?= htmlspecialchars($thisGroup->getName(), ENT_QUOTES, 'UTF-8') ?></h3>
     </div>
     <div class="card-body">
         <div class="mb-3">
@@ -459,7 +459,7 @@ function allPhonesCommaD() {
                     bootbox.confirm({
                         title: "<?= gettext("Confirm Delete Group") ?>",
                         message: '<p class="text-danger">' +
-                            "<?= gettext("Please confirm deletion of this group record") ?>: <?= $thisGroup->getName() ?></p>" +
+                            "<?= gettext("Please confirm deletion of this group record") ?>: " + <?= json_encode($thisGroup->getName(), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT) ?> + "</p>" +
                             "<p>" +
                             "<?= gettext("This will also delete all Roles and Group-Specific Property data associated with this Group record.") ?>" +
                             "</p><p>" +

src/api/routes/people/people-groups.php

@@ -115,8 +115,8 @@
         if ($groupSettings['isSundaySchool'] ?? false) {
             $group->makeSundaySchool();
         }
-        $group->setName($groupSettings['groupName']);
-        $group->setDescription($groupSettings['description'] ?? '');
+        $group->setName(strip_tags($groupSettings['groupName']));
+        $group->setDescription(strip_tags($groupSettings['description'] ?? ''));
         $group->setType($groupSettings['groupType'] ?? 0);
         $group->save();
         return SlimUtils::renderJSON($response, $group->toArray());
@@ -126,9 +126,9 @@
         $groupID = $args['groupID'];
         $input = $request->getParsedBody();
         $group = GroupQuery::create()->findOneById($groupID);
-        $group->setName($input['groupName']);
+        $group->setName(strip_tags($input['groupName']));
         $group->setType($input['groupType']);
-        $group->setDescription($input['description'] ?? '');
+        $group->setDescription(strip_tags($input['description'] ?? ''));
         $group->save();
         return SlimUtils::renderJSON($response, $group->toArray());
     });

src/sundayschool/SundaySchoolReports.php

@@ -179,7 +179,7 @@
             // Create the group select drop-down
             echo '<select id="GroupID" name="GroupID[]" multiple size="8" onChange="UpdateRoles();"><option value="0">' . gettext('None') . '</option>';
             foreach ($groups as $group) {
-                echo '<option value="' . $group->getID() . '">' . $group->getName() . '</option>';
+                echo '<option value="' . $group->getID() . '">' . htmlspecialchars($group->getName(), ENT_QUOTES, 'UTF-8') . '</option>';
             }
             echo '</select><br>';
             echo gettext('Multiple groups will have a Page Break between Groups<br>');