From de9e6f95ab87e64caa24f0023ad620cbf94eaa8e Mon Sep 17 00:00:00 2001
From: mattpass <matt@helical-levity.com>
Date: Sat, 1 Feb 2020 15:41:52 +0000
Subject: [PATCH] Remove use of strClean

---
 lib/download.php                    |  2 +-
 lib/multiple-results.php            | 10 ++--
 lib/plugins-manager.php             |  4 +-
 lib/properties.php                  |  4 +-
 lib/settings-common.php             |  5 --
 lib/settings-save-current-files.php |  2 +-
 lib/settings-update.php             | 82 ++++++++++++++++-------------
 lib/settings.php                    |  8 +--
 8 files changed, 59 insertions(+), 58 deletions(-)

diff --git a/lib/download.php b/lib/download.php
index d21b68d..831b60d 100644
--- a/lib/download.php
+++ b/lib/download.php
@@ -3,7 +3,7 @@ include("headers.php");
 include("settings.php");
 
 // Establish the real absolute path to the file
-$file = realpath($docRoot.$iceRoot.str_replace("|","/",strClean($_GET['file'])));
+$file = realpath($docRoot.$iceRoot.str_replace("|","/",$_GET['file']));
 // If it doesn't exist, or doesn't start with the $docRoot, stop here
 if (!file_exists($file) || strpos(str_replace("\\","/",$file),$docRoot) !== 0) {
 	die("<script>top.ICEcoder.message('Sorry, that file doesn\'t appear to exist');</script>");
diff --git a/lib/multiple-results.php b/lib/multiple-results.php
index 8c3ecd1..0b7d2a9 100644
--- a/lib/multiple-results.php
+++ b/lib/multiple-results.php
@@ -5,7 +5,7 @@ $t = $text['multiple-results'];
 ?>
 <?php
 if(isset($_GET['selectedFiles'])) {
-	$selectedFiles=explode(":",strClean($_GET['selectedFiles']));
+	$selectedFiles=explode(":",$_GET['selectedFiles']);
 }
 ?>
 <!DOCTYPE html>
@@ -79,7 +79,7 @@ if (startTab!=top.ICEcoder.selectedTab) {
 		for (var i=0;i<spansArray.length;i++) {
 			foundInSelected = false;
 			targetURL = spansArray[i].id.replace(/\|/g,"/").toLowerCase();
-			if (	targetURL.lastIndexOf(findText.toLowerCase()) > targetURL.lastIndexOf("/") 
+			if (	targetURL.lastIndexOf(findText.toLowerCase()) > targetURL.lastIndexOf("/")
 				&& targetURL.indexOf(findText.toLowerCase())>-1 && targetURL.indexOf('_perms')>-1) {
 				if (userTarget.indexOf("selected")>-1) {
 					for (var j=0;j<top.ICEcoder.selectedFiles.length;j++) {
@@ -100,7 +100,7 @@ if (startTab!=top.ICEcoder.selectedTab) {
 					<?php if (!isset($_GET['replace'])) { ?>
 						resultsDisplay += '<div id="foundCount'+i+'">'+spansArray[i].innerHTML+'</div>';
 					<?php ;} else { ?>
-						resultsDisplay += '<div id="foundCount'+i+'">'+spansArray[i].innerHTML+', <?php echo $t['rename to'];?> '+targetURL.replace(/\|/g,"/").replace(/_perms/g,"").replace(/<?php echo str_replace("/","\/",strtolower($findText)); ?>/g,"<b><?php if(isset($_GET['replace'])) {echo strtolower(strClean($_GET['replace']));};?></b>")+'</div>';
+						resultsDisplay += '<div id="foundCount'+i+'">'+spansArray[i].innerHTML+', <?php echo $t['rename to'];?> '+targetURL.replace(/\|/g,"/").replace(/_perms/g,"").replace(/<?php echo str_replace("/","\/",strtolower($findText)); ?>/g,"<b><?php if(isset($_GET['replace'])) {echo strtolower($_GET['replace']);};?></b>")+'</div>';
 					<?php
 					;};
 					if (isset($_GET['replace'])) { ?>
@@ -200,7 +200,7 @@ var replaceAll = function() {
 }
 
 var replaceInFileSingle = function(fileRef) {
-	top.ICEcoder.replaceInFile(fileRef,findText,'<?php if(isset($_GET['replace'])) {echo strClean($_GET['replace']);}; ?>');
+	top.ICEcoder.replaceInFile(fileRef,findText,'<?php if(isset($_GET['replace'])) {echo $_GET['replace'];}; ?>');
 }
 
 var replaceInFilesAll = function() {
@@ -212,7 +212,7 @@ var replaceInFilesAll = function() {
 
 var renameSingle = function(arrayRef) {
 	fileRef = spansArray[arrayRef].id.replace(/\|/g,"/").replace(/_perms/g,"");
-	newName = spansArray[arrayRef].id.replace(/\|/g,"/").replace(/_perms/g,"").replace(find,"<?php if(isset($_GET['replace'])) {echo strClean($_GET['replace']);}; ?>");
+	newName = spansArray[arrayRef].id.replace(/\|/g,"/").replace(/_perms/g,"").replace(find,"<?php if(isset($_GET['replace'])) {echo $_GET['replace'];}; ?>");
 	top.ICEcoder.renameFile(fileRef,newName);
 }
 
diff --git a/lib/plugins-manager.php b/lib/plugins-manager.php
index 11db108..e26fa88 100644
--- a/lib/plugins-manager.php
+++ b/lib/plugins-manager.php
@@ -25,7 +25,7 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 
 		// Store the plugin zip to the tmp dir
 		$target = '../plugins/';
-		$zipURL = $pluginsData[strClean($_GET['plugin'])]['zipURL'];
+		$zipURL = $pluginsData[$_GET['plugin']]['zipURL'];
 	    	$zipFile = "../tmp/".basename($zipURL);
 		$fileData = getData($zipURL,'curl');
 		file_put_contents($zipFile, $fileData);
@@ -95,7 +95,7 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 
 		// Finally, delete the plugin itself
 		$target = '../plugins/';
-		$dirName = basename($pluginsData[strClean($_GET['plugin'])]['zipURL'],".zip");
+		$dirName = basename($pluginsData[$_GET['plugin']]['zipURL'],".zip");
 		deletePlugin($target.$dirName."/");
 	}
 
diff --git a/lib/properties.php b/lib/properties.php
index 615a475..06bce73 100644
--- a/lib/properties.php
+++ b/lib/properties.php
@@ -4,7 +4,7 @@ include("settings.php");
 $t = $text['properties'];
 
 // Establish the real absolute path to the file/folder
-$fileName=realpath($docRoot.$iceRoot.str_replace("|","/",strClean($_GET['fileName'])));
+$fileName=realpath($docRoot.$iceRoot.str_replace("|","/",$_GET['fileName']));
 // If it doesn't exist, or doesn't start with the $docRoot, stop here
 if (!file_exists($fileName) || strpos(str_replace("\\","/",$fileName),$docRoot) !== 0) {
         die("<script>alert('Sorry - problem with file/folder requested');window.history.back();</script>");
@@ -47,7 +47,7 @@ echo number_format($outputSize, 2, '.', '').$outputUnit." (".number_format($byte
 <span class="column"><?php echo $t['Last access'];?>: <?php echo date( "D jS M Y g:i:sa", fileatime($fileName)); ?></span>
 <br><br>
 <span class="column" style="width: 180px"><?php echo $t['Type'];?>: <?php echo is_dir($fileName) ? "Folder" : "File"; ?></span>
-<span class="column" style="margin: 0 10px"><?php echo $t['Readable Writeable'];?>: 
+<span class="column" style="margin: 0 10px"><?php echo $t['Readable Writeable'];?>:
 <?php echo is_readable($fileName) ? "Yes" : "No"; ?> / <?php echo is_writeable($fileName) ? "Yes" : "No";?>
 </span>
 <span class="column"><?php echo $t['Relative path'];?>: <?php echo str_replace($docRoot,"",$fileName);?></span>
diff --git a/lib/settings-common.php b/lib/settings-common.php
index b3782ba..838a848 100644
--- a/lib/settings-common.php
+++ b/lib/settings-common.php
@@ -168,11 +168,6 @@ function verifyHash($pw, $orig) {
     return $origSalt.sha1($origSalt.$pw);
 }
 
-// returns converted entities which have HTML entity equivalents
-function strClean($var) {
-	return preg_replace("/javascript\:/i","javascript&colon;",htmlentities($var, ENT_QUOTES, "UTF-8"));
-}
-
 // returns a number, whole or decimal or null
 function numClean($var) {
 	return is_numeric($var) ? floatval($var) : false;
diff --git a/lib/settings-save-current-files.php b/lib/settings-save-current-files.php
index 47f955c..1bc88b7 100644
--- a/lib/settings-save-current-files.php
+++ b/lib/settings-save-current-files.php
@@ -12,7 +12,7 @@ if ($_SESSION['loggedIn'] && isset($_GET["saveFiles"]) && $_GET['saveFiles']) {
 	$repPosEnd = strpos($settingsContents,'",',$repPosStart)-$repPosStart;
 	if (!$demoMode) {
 		if ($_GET['saveFiles']!="CLEAR") {
-			$saveFiles=strClean($_GET['saveFiles']);
+			$saveFiles=$_GET['saveFiles'];
 			$saveFilesArray = explode(",",$saveFiles);
 			$saveFiles="";
 			for ($i=0;$i<count($saveFilesArray);$i++) {
diff --git a/lib/settings-update.php b/lib/settings-update.php
index bc21cb6..61e9f1d 100644
--- a/lib/settings-update.php
+++ b/lib/settings-update.php
@@ -14,41 +14,47 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 	$languageUserChanged = $ICEcoder['languageUser'] != $_POST['languageUser'];
 
 	// Prepare all our vars
-	$ICEcoder["root"]			= xssClean($_POST['root'],"html");
-	$ICEcoder["checkUpdates"]		= isset($_POST['checkUpdates']) && $_POST['checkUpdates'] ? "true" : "false";
-	$ICEcoder["openLastFiles"]		= isset($_POST['openLastFiles']) && $_POST['openLastFiles'] ? "true" : "false";
-	$ICEcoder["updateDiffOnSave"]		= isset($_POST['updateDiffOnSave']) && $_POST['updateDiffOnSave'] ? "true" : "false";
-	$ICEcoder["languageUser"]		= strClean($_POST['languageUser']);
-	$ICEcoder["backupsKept"]		= isset($_POST['backupsKept']) && $_POST['backupsKept'] ? "true" : "false";
-	$ICEcoder["backupsDays"]		= intval($_POST['backupsDays']);
-	$ICEcoder["deleteToTmp"]		= isset($_POST['deleteToTmp']) && $_POST['deleteToTmp'] ? "true" : "false";
-	$ICEcoder["findFilesExclude"]		= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['findFilesExclude']))).'")';
-	$ICEcoder["codeAssist"]			= isset($_POST['codeAssist']) && $_POST['codeAssist'] ? "true" : "false";
-	$ICEcoder["visibleTabs"]		= isset($_POST['visibleTabs']) && $_POST['visibleTabs'] ? "true" : "false";
-	$ICEcoder["lockedNav"]			= isset($_POST['lockedNav']) && $_POST['lockedNav'] ? "true" : "false";
-	$ICEcoder["tagWrapperCommand"]		= strClean($_POST['tagWrapperCommand']);
-	$ICEcoder["autoComplete"]		= strClean($_POST['autoComplete']);
-	if ($_POST['password']!="")		{$ICEcoder["password"] = generateHash(strClean($_POST['password']));};
-	$ICEcoder["bannedFiles"]		= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['bannedFiles']))).'")';
-	$ICEcoder["bannedPaths"]		= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['bannedPaths']))).'")';
-	$ICEcoder["allowedIPs"]			= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['allowedIPs']))).'")';
-	$ICEcoder["autoLogoutMins"]		= intval($_POST['autoLogoutMins']);
-	$ICEcoder["theme"]			= strClean($_POST['theme']);
-	$ICEcoder["fontSize"]			= strClean($_POST['fontSize']);
-	$ICEcoder["lineWrapping"]		= strClean($_POST['lineWrapping']);
-	$ICEcoder["lineNumbers"]		= strClean($_POST['lineNumbers']);
-	$ICEcoder["showTrailingSpace"]		= strClean($_POST['showTrailingSpace']);
-	$ICEcoder["matchBrackets"]		= strClean($_POST['matchBrackets']);
-	$ICEcoder["autoCloseTags"]		= strClean($_POST['autoCloseTags']);
-	$ICEcoder["autoCloseBrackets"]		= strClean($_POST['autoCloseBrackets']);
-	$ICEcoder["indentWithTabs"]		= strClean($_POST['indentWithTabs']);
-	$ICEcoder["indentAuto"]			= strClean($_POST['indentAuto']);
-	$ICEcoder["indentSize"]			= intval($_POST['indentSize']);
-	$ICEcoder["pluginPanelAligned"]		= strClean($_POST['pluginPanelAligned']);
-	$ICEcoder["bugFilePaths"]		= 'array("'.str_replace(',','","',str_replace(" ","",strClean($_POST['bugFilePaths']))).'")';
-	$ICEcoder["bugFileCheckTimer"]		= intval($_POST['bugFileCheckTimer']) >= 0 ? intval($_POST['bugFileCheckTimer']) : 0;
-	$ICEcoder["bugFileMaxLines"]		= intval($_POST['bugFileMaxLines']);
-	$ICEcoder["githubAuthToken"]		= strClean($_POST['githubAuthToken']);
+    $ICEcoder = array_merge(
+        $ICEcoder,
+	    [
+	        "root"               => xssClean($_POST['root'],"html"),
+            "checkUpdates"       => isset($_POST['checkUpdates']) && $_POST['checkUpdates'] ? "true" : "false",
+            "openLastFiles"      => isset($_POST['openLastFiles']) && $_POST['openLastFiles'] ? "true" : "false",
+            "updateDiffOnSave"   => isset($_POST['updateDiffOnSave']) && $_POST['updateDiffOnSave'] ? "true" : "false",
+            "languageUser"       => $_POST['languageUser'],
+            "backupsKept"        => isset($_POST['backupsKept']) && $_POST['backupsKept'] ? "true" : "false",
+            "backupsDays"        => intval($_POST['backupsDays']),
+            "deleteToTmp"        => isset($_POST['deleteToTmp']) && $_POST['deleteToTmp'] ? "true" : "false",
+            "findFilesExclude"   => 'array("'.str_replace(',','","',str_replace(" ","",$_POST['findFilesExclude'])).'")',
+            "codeAssist"         => isset($_POST['codeAssist']) && $_POST['codeAssist'] ? "true" : "false",
+            "visibleTabs"        => isset($_POST['visibleTabs']) && $_POST['visibleTabs'] ? "true" : "false",
+            "lockedNav"          => isset($_POST['lockedNav']) && $_POST['lockedNav'] ? "true" : "false",
+            "tagWrapperCommand"  => $_POST['tagWrapperCommand'],
+            "autoComplete"       => $_POST['autoComplete'],
+            "bannedFiles"        => 'array("'.str_replace(',','","',str_replace(" ","",$_POST['bannedFiles'])).'")',
+            "bannedPaths"        => 'array("'.str_replace(',','","',str_replace(" ","",$_POST['bannedPaths'])).'")',
+            "allowedIPs"         => 'array("'.str_replace(',','","',str_replace(" ","",$_POST['allowedIPs'])).'")',
+            "autoLogoutMins"     => intval($_POST['autoLogoutMins']),
+            "theme"              => $_POST['theme'],
+            "fontSize"           => $_POST['fontSize'],
+            "lineWrapping"       => $_POST['lineWrapping'],
+            "lineNumbers"        => $_POST['lineNumbers'],
+            "showTrailingSpace"  => $_POST['showTrailingSpace'],
+            "matchBrackets"      => $_POST['matchBrackets'],
+            "autoCloseTags"      => $_POST['autoCloseTags'],
+            "autoCloseBrackets"  => $_POST['autoCloseBrackets'],
+            "indentWithTabs"     => $_POST['indentWithTabs'],
+            "indentAuto"         => $_POST['indentAuto'],
+            "indentSize"         => intval($_POST['indentSize']),
+            "pluginPanelAligned" => $_POST['pluginPanelAligned'],
+            "bugFilePaths"       => 'array("'.str_replace(',','","',str_replace(" ","",$_POST['bugFilePaths'])).'")',
+            "bugFileCheckTimer"  => intval($_POST['bugFileCheckTimer']) >= 0 ? intval($_POST['bugFileCheckTimer']) : 0,
+            "bugFileMaxLines"    => intval($_POST['bugFileMaxLines']),
+            "githubAuthToken"    => $_POST['githubAuthToken']
+        ]
+    );
+
+    if ($_POST['password']!="")		{$ICEcoder["password"] = generateHash($_POST['password']);};
 
 	$settingsArray = array("root","checkUpdates","openLastFiles","updateDiffOnSave","languageUser","backupsKept","backupsDays","deleteToTmp","findFilesExclude","codeAssist","visibleTabs","lockedNav","tagWrapperCommand","autoComplete","password","bannedFiles","bannedPaths","allowedIPs","autoLogoutMins","theme","fontSize","lineWrapping","lineNumbers","showTrailingSpace","matchBrackets","autoCloseTags","autoCloseBrackets","indentWithTabs","indentAuto","indentSize","pluginPanelAligned","bugFilePaths","bugFileCheckTimer","bugFileMaxLines","githubAuthToken");
 	$settingsNew = "";
@@ -56,7 +62,7 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 		$settingsNew .= '"'.$settingsArray[$i].'"	=> ';
 		// Wrap certain values in double quotes
 		$settingWrap = $settingsArray[$i]=="root"||$settingsArray[$i]=="password"||$settingsArray[$i]=="languageUser"||$settingsArray[$i]=="theme"||$settingsArray[$i]=="fontSize"||$settingsArray[$i]=="tagWrapperCommand"||$settingsArray[$i]=="autoComplete"||$settingsArray[$i]=="pluginPanelAligned"||$settingsArray[$i]=="githubAuthToken" ? '"' : '';
-		
+
 		if ($settingsArray[$i]=="password") {
 			$settingsNew .= str_replace("\$", "\\$", $settingWrap.$ICEcoder[$settingsArray[$i]].$settingWrap.','.PHP_EOL);
 		} else {
@@ -79,7 +85,7 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 	// OK, now the config file has been updated, update our current session with new arrays
 	$settingsArray = array("findFilesExclude","bannedFiles","allowedIPs");
 	for ($i=0;$i<count($settingsArray);$i++) {
-		$_SESSION[$settingsArray[$i]] = $ICEcoder[$settingsArray[$i]] = explode(",",str_replace(" ","",strClean($_POST[$settingsArray[$i]])));
+		$_SESSION[$settingsArray[$i]] = $ICEcoder[$settingsArray[$i]] = explode(",",str_replace(" ","",$_POST[$settingsArray[$i]]));
 	}
 
 	// Work out the theme to use now
@@ -116,6 +122,6 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset
 	}
 
 	// With all that worked out, we can now hide the settings screen and apply the new settings
-	$jsBugFilePaths = "['".str_replace(",","','",str_replace(" ","",strClean($_POST['bugFilePaths'])))."']";
+	$jsBugFilePaths = "['".str_replace(",","','",str_replace(" ","",$_POST['bugFilePaths']))."']";
 	echo "<script>top.ICEcoder.settingsScreen('hide');top.ICEcoder.useNewSettings('".$themeURL."',".$ICEcoder["codeAssist"].",".$ICEcoder["lockedNav"].",'".$ICEcoder["tagWrapperCommand"]."','".$ICEcoder["autoComplete"]."',".$ICEcoder["visibleTabs"].",'".$ICEcoder["fontSize"]."',".$ICEcoder["lineWrapping"].",".$ICEcoder["lineNumbers"].",".$ICEcoder["showTrailingSpace"].",".$ICEcoder["matchBrackets"].",".$ICEcoder["autoCloseTags"].",".$ICEcoder["autoCloseBrackets"].",".$ICEcoder["indentWithTabs"].",".$ICEcoder["indentAuto"].",".$ICEcoder["indentSize"].",'".$ICEcoder["pluginPanelAligned"]."',".$jsBugFilePaths.",".$ICEcoder["bugFileCheckTimer"].",".$ICEcoder["bugFileMaxLines"].",'".$githubAuthTokenSet."',".$ICEcoder["updateDiffOnSave"].",".$ICEcoder["autoLogoutMins"].",".$refreshFM.");top.iceRoot = '".$ICEcoder["root"]."';</script>";
 }
diff --git a/lib/settings.php b/lib/settings.php
index 8801afc..d2f5c13 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -26,8 +26,8 @@ include_once(dirname(__FILE__)."/settings-common.php");
 
 // Establish user settings file
 $username = "";
-if (isset($_POST['username']) && $_POST['username'] != "") {$username = strClean($_POST['username']."-");};
-if (isset($_SESSION['username']) && $_SESSION['username'] != "") {$username = strClean($_SESSION['username']."-");};
+if (isset($_POST['username']) && $_POST['username'] != "") {$username = $_POST['username']."-";};
+if (isset($_SESSION['username']) && $_SESSION['username'] != "") {$username = $_SESSION['username']."-";};
 $settingsFile = 'config-'.$username.str_replace(".","_",str_replace("www.","",$_SERVER['SERVER_NAME'])).'.php';
 
 // Login is default
@@ -115,7 +115,7 @@ if (!isset($_SESSION['username'])) {$_SESSION['username'] = false;};
 // Attempt a login with password
 if(isset($_POST['submit']) && $setPWorLogin=="login") {
 	// On success, set username if multiUser, loggedIn to true and redirect
-	if (verifyHash(strClean($_POST['password']),$ICEcoder["password"])==$ICEcoder["password"]) {
+	if (verifyHash($_POST['password'],$ICEcoder["password"])==$ICEcoder["password"]) {
 		session_regenerate_id();
 		if ($ICEcoder["multiUser"]) {
 			$_SESSION['username'] = $_POST['username'];
@@ -195,7 +195,7 @@ if ((!$_SESSION['loggedIn'] || $ICEcoder["password"] == "") && !strpos($_SERVER[
 } elseif (!$_SESSION['loggedIn']) {
 	// If the password hasn't been set and we're setting it
 	if ($ICEcoder["password"] == "" && isset($_POST['submit']) && (strpos($_POST['submit'],"set password")>-1)) {
-		$password = str_replace("\$", "\\$", generateHash(strClean($_POST['password'])));
+		$password = str_replace("\$", "\\$", generateHash($_POST['password']));
 		$settingsContents = getData("../data/".$settingsFile);
 		// Replace our empty password with the one submitted by user
 		$settingsContents = str_replace('"password"		=> "",','"password"		=> "'.$password.'",',$settingsContents);