It was found by one of our other members on our discord page that sending messages allows raw, unfiltered user input, and if you switch to html mode in the editor, you can input html tags which creates a whole host of security issues. A quick fix for this is to open controller/main/messagescontroller and change anything that uses rawPost() to post(). rawPost is a function that allows unfiltered user input, and why this is an intentionally created feature, I have no clue except that it might have been created for an output filtering that it is currently not using. With all the new and ever increasing security challenges on the web, this really needs to be thought through and I suggest removing altogether. Users can also add html purifier to model/domainmodel/privatemessage and edit the constructor like this, and hopefully it will cover everything, though I haven't tested it using rawPost() so I'm not sure if it actually works. I'm only using post() and I removed rawPost from my site so if anyone else wants to test this before changing their post functions in the controller, I'd love to hear the results.
Code:
public function __construct($mid = 0, $folder = "inbox", $dto = NULL, $notifier = FALSE, $htmlPurifier = TRUE){
$mysidia = Registry::get("mysidia");
if($htmlPurifier) $this->htmlPurifier = new HTMLPurifier;
if($mid == 0){
//This is a new private message not yet exist in database
$this->mid = $mid;
$this->fromuser = $mysidia->user->getID();
$this->folder = ($folder == "inbox") ? $this->folder : $folder;
return;
}
elseif(!$dto){
// The private message is not being composed, so fetch the information from database
$table = ($folder == "inbox") ? "messages" : "folders_messages";
$dto = $mysidia->db->select($table, [], "mid = :mid", ["mid" => $mid])->fetchObject();
if(!is_object($dto)) throw new MessageNotfoundException("The message does not exist in database.");
}
parent::__construct($dto);
if($notifier == TRUE) $this->getNotifier();
}