From 31865e547b42fbc74c9b7c6184c2d7a0e2e3e973 Mon Sep 17 00:00:00 2001 From: gluafamichl <> Date: Mon, 28 Oct 2024 14:59:24 +0100 Subject: [PATCH 1/4] Fix: remove duplicate HTML encoding from Hashlist creation --- src/inc/utils/HashlistUtils.class.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/inc/utils/HashlistUtils.class.php b/src/inc/utils/HashlistUtils.class.php index 489c24747..39b4164e9 100644 --- a/src/inc/utils/HashlistUtils.class.php +++ b/src/inc/utils/HashlistUtils.class.php @@ -34,7 +34,7 @@ public static function editNotes($hashlistId, $notes, $user) { if (!AccessUtils::userCanAccessHashlists($hashlist, $user)) { throw new HTException("No access to hashlist!"); } - Factory::getHashlistFactory()->set($hashlist, Hashlist::NOTES, htmlentities($notes, ENT_QUOTES, "UTF-8")); + Factory::getHashlistFactory()->set($hashlist, Hashlist::NOTES, $notes); } /** @@ -744,7 +744,6 @@ public static function export($hashlistId, $user) { * @throws HTException */ public static function createHashlist($name, $isSalted, $isSecret, $isHexSalted, $separator, $format, $hashtype, $saltSeparator, $accessGroupId, $source, $post, $files, $user, $brainId, $brainFeatures) { - $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $salted = ($isSalted) ? "1" : "0"; $secret = ($isSecret) ? "1" : "0"; $hexsalted = ($isHexSalted) ? "1" : "0"; From 76c82bd5474fe93f622d21bfe1a7573aafe769ef Mon Sep 17 00:00:00 2001 From: gluafamichl <> Date: Mon, 28 Oct 2024 15:00:38 +0100 Subject: [PATCH 2/4] Fix: HTML decode strings before dumping DB objects to JSON --- src/inc/apiv2/common/AbstractBaseAPI.class.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/inc/apiv2/common/AbstractBaseAPI.class.php b/src/inc/apiv2/common/AbstractBaseAPI.class.php index 424a1bd6f..0ae33f059 100644 --- a/src/inc/apiv2/common/AbstractBaseAPI.class.php +++ b/src/inc/apiv2/common/AbstractBaseAPI.class.php @@ -398,7 +398,10 @@ protected static function db2json(array $feature, mixed $val): mixed $obj = array_map('intval', preg_split("/,/", $val, -1, PREG_SPLIT_NO_EMPTY)); } elseif ($feature['type'] == 'dict' && $feature['subtype'] = 'bool') { $obj = unserialize($val); - } else { + } elseif (str_starts_with($feature['type'], 'str')) { + $obj = html_entity_decode($val, ENT_COMPAT, "UTF-8"); + } + else { // TODO: Check all objects, instead of wild cast to hopefully-JSON compatible object $obj = $val; } @@ -420,7 +423,7 @@ protected static function json2db(array $feature, mixed $obj): mixed $val = htmlentities($obj, ENT_QUOTES, "UTF-8"); } elseif ($feature['type'] == 'array' && $feature['subtype'] == 'int') { $val = implode(",", $obj); - } elseif ($feature['type'] == 'dict' && $feature['subtype'] = 'bool') { + } elseif ($feature['type'] == 'dict' && $feature['subtype'] == 'bool') { $val = serialize($obj); } else { $val = strval($obj); From 1d3ade95b17bf2ed091ea9880d62d233f4153508 Mon Sep 17 00:00:00 2001 From: gluafamichl <> Date: Mon, 28 Oct 2024 15:57:21 +0100 Subject: [PATCH 3/4] Fix: HTML decode strings before dumping DB objects to JSON --- src/inc/utils/SupertaskUtils.class.php | 5 +---- src/inc/utils/TaskUtils.class.php | 6 ++---- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/inc/utils/SupertaskUtils.class.php b/src/inc/utils/SupertaskUtils.class.php index 8ae15b598..d9c105073 100644 --- a/src/inc/utils/SupertaskUtils.class.php +++ b/src/inc/utils/SupertaskUtils.class.php @@ -28,7 +28,6 @@ class SupertaskUtils { * @throws HTException */ public static function bulkSupertask($name, $command, $isCpuOnly, $maxAgents, $isSmall, $crackerBinaryTypeId, $benchtype, $basefiles, $iterfiles, $user) { - $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $isCpuOnly = ($isCpuOnly) ? 1 : 0; $isSmall = ($isSmall) ? 1 : 0; $benchtype = ($benchtype == 'speed') ? 1 : 0; @@ -146,7 +145,7 @@ public static function createIterationPretasks($command, $name, $basefiles, $ite */ public static function renameSupertask($supertaskId, $newName) { $supertask = SupertaskUtils::getSupertask($supertaskId); - Factory::getSupertaskFactory()->set($supertask, Supertask::SUPERTASK_NAME, htmlentities($newName, ENT_QUOTES, "UTF-8")); + Factory::getSupertaskFactory()->set($supertask, Supertask::SUPERTASK_NAME, $newName); } /** @@ -327,7 +326,6 @@ public static function createSupertask($name, $pretasks) { if (!is_array($pretasks) || sizeof($pretasks) == 0) { throw new HTException("Cannot create empty supertask!"); } - $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $tasks = []; foreach ($pretasks as $pretaskId) { $pretask = Factory::getPretaskFactory()->get($pretaskId); @@ -360,7 +358,6 @@ public static function createSupertask($name, $pretasks) { * @throws HTException */ public static function importSupertask($name, $isCpuOnly, $maxAgents, $isSmall, $useOptimized, $crackerBinaryTypeId, $masks, $benchtype) { - $name = htmlentities($name, ENT_QUOTES, "UTF-8"); $isCpuOnly = ($isCpuOnly) ? 1 : 0; $isSmall = ($isSmall) ? 1 : 0; $useOptimized = ($useOptimized) ? true : false; diff --git a/src/inc/utils/TaskUtils.class.php b/src/inc/utils/TaskUtils.class.php index c06cacc50..3ccf284ee 100644 --- a/src/inc/utils/TaskUtils.class.php +++ b/src/inc/utils/TaskUtils.class.php @@ -99,7 +99,6 @@ public static function getDefault() { * @throws HTException */ public static function editNotes($taskId, $notes, $user) { - $notes = htmlentities($notes, ENT_QUOTES, "UTF-8"); $task = TaskUtils::getTask($taskId, $user); Factory::getTaskFactory()->set($task, Task::NOTES, $notes); } @@ -186,7 +185,7 @@ public static function archiveTask($taskId, $user) { */ public static function renameSupertask($taskWrapperId, $newName, $user) { $taskWrapper = TaskUtils::getTaskWrapper($taskWrapperId, $user); - Factory::getTaskWrapperFactory()->set($taskWrapper, TaskWrapper::TASK_WRAPPER_NAME, htmlentities($newName, ENT_QUOTES, "UTF-8")); + Factory::getTaskWrapperFactory()->set($taskWrapper, TaskWrapper::TASK_WRAPPER_NAME, $newName); } /** @@ -635,7 +634,7 @@ public static function updateColor($taskId, $color, $user) { public static function rename($taskId, $name, $user) { // change task name $task = TaskUtils::getTask($taskId, $user); - Factory::getTaskFactory()->set($task, Task::TASK_NAME, htmlentities($name, ENT_QUOTES, "UTF-8")); + Factory::getTaskFactory()->set($task, Task::TASK_NAME, $name); } /** @@ -745,7 +744,6 @@ public static function createTask($hashlistId, $name, $attackCmd, $chunkTime, $s throw new HTException("You cannot create a task for an archived hashlist!"); } - $name = htmlentities($name, ENT_QUOTES, "UTF-8"); if (strlen($name) == 0) { $name = "Task_" . $hashlist->getId() . "_" . date("Ymd_Hi"); } From 435065610c38b1f9d0c2422f5fbb7ba095feba12 Mon Sep 17 00:00:00 2001 From: gluafamichl <> Date: Tue, 29 Oct 2024 08:41:08 +0100 Subject: [PATCH 4/4] Fix: Don't call html_entity_decode for null values --- src/inc/apiv2/common/AbstractBaseAPI.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/inc/apiv2/common/AbstractBaseAPI.class.php b/src/inc/apiv2/common/AbstractBaseAPI.class.php index 0ae33f059..c5018ace3 100644 --- a/src/inc/apiv2/common/AbstractBaseAPI.class.php +++ b/src/inc/apiv2/common/AbstractBaseAPI.class.php @@ -398,7 +398,7 @@ protected static function db2json(array $feature, mixed $val): mixed $obj = array_map('intval', preg_split("/,/", $val, -1, PREG_SPLIT_NO_EMPTY)); } elseif ($feature['type'] == 'dict' && $feature['subtype'] = 'bool') { $obj = unserialize($val); - } elseif (str_starts_with($feature['type'], 'str')) { + } elseif (str_starts_with($feature['type'], 'str') && $val !== null) { $obj = html_entity_decode($val, ENT_COMPAT, "UTF-8"); } else {