fix(security): add csrf filter + prevent xss attacks by escaping user input

- update CI4 to v4.1.9's stable production package - update php and js dependencies to latest
2026-04-16 21:17:45 +02:00 · 2022-03-04 14:33:48 +00:00 · 2022-03-04 14:33:48 +00:00 · cd2e1e1dc3
commit cd2e1e1dc3
parent a597cf4ecf
182 changed files with 4410 additions and 4214 deletions
--- a/modules/Admin/Controllers/ContributorController.php
+++ b/modules/Admin/Controllers/ContributorController.php
@ -63,6 +63,7 @@ class ContributorController extends BaseController
    public function view(): string
    {
        $data = [
+            'podcast' => $this->podcast,
            'contributor' => (new UserModel())->getPodcastContributor($this->user->id, $this->podcast->id),
        ];

--- a/modules/Admin/Controllers/EpisodeController.php
+++ b/modules/Admin/Controllers/EpisodeController.php
@ -294,6 +294,7 @@ class EpisodeController extends BaseController
            ) {
                (new MediaModel())->deleteMedia($this->episode->transcript);
            }
+
            $this->episode->transcript_remote_url = $transcriptRemoteUrl === '' ? null : $transcriptRemoteUrl;
        }

@ -311,6 +312,7 @@ class EpisodeController extends BaseController
            ) {
                (new MediaModel())->deleteMedia($this->episode->chapters);
            }
+
            $this->episode->chapters_remote_url = $chaptersRemoteUrl === '' ? null : $chaptersRemoteUrl;
        }

--- a/modules/Admin/Controllers/PodcastController.php
+++ b/modules/Admin/Controllers/PodcastController.php
@ -384,6 +384,7 @@ class PodcastController extends BaseController
                ->withInput()
                ->with('errors', $mediaModel->errors());
        }
+
        (new PodcastModel())->clearCache([
            'id' => $this->podcast->id,
        ]);
--- a/modules/Admin/Controllers/PodcastImportController.php
+++ b/modules/Admin/Controllers/PodcastImportController.php
@ -77,6 +77,7 @@ class PodcastImportController extends BaseController
                ->withInput()
                ->with('errors', $this->validator->getErrors());
        }
+
        try {
            ini_set('user_agent', 'Castopod/' . CP_VERSION);
            $feed = simplexml_load_file($this->request->getPost('imported_feed_url'));
@ -93,6 +94,7 @@ class PodcastImportController extends BaseController
                        ' ⎋</a>',
                ]);
        }
+
        $nsItunes = $feed->channel[0]->children('http://www.itunes.com/dtds/podcast-1.0.dtd');
        $nsPodcast = $feed->channel[0]->children(
            'https://github.com/Podcastindex-org/podcast-namespace/blob/main/docs/1.0.md',
@ -128,6 +130,7 @@ class PodcastImportController extends BaseController
                    $nsPodcast->location->attributes()['osm'] === null ? null : (string) $nsPodcast->location->attributes()['osm'],
                );
            }
+
            $guid = null;
            if (property_exists($nsPodcast, 'guid') && $nsPodcast->guid !== null) {
                $guid = (string) $nsPodcast->guid;
@ -313,8 +316,10 @@ class PodcastImportController extends BaseController
                while (in_array($slug . '-' . $slugNumber, $slugs, true)) {
                    ++$slugNumber;
                }
+
                $slug = $slug . '-' . $slugNumber;
            }
+
            $slugs[] = $slug;
            $itemDescriptionHtml = match ($this->request->getPost('description_field')) {
                'content' => (string) $nsContent->encoded,
--- a/modules/Admin/Controllers/PodcastPlatformController.php
+++ b/modules/Admin/Controllers/PodcastPlatformController.php
@ -74,9 +74,11 @@ class PodcastPlatformController extends BaseController
            if ($podcastPlatformUrl === null) {
                continue;
            }
+
            if (! $validation->check($podcastPlatformUrl, 'validate_url')) {
                continue;
            }
+
            $podcastsPlatformsData[] = [
                'platform_slug' => $platformSlug,
                'podcast_id' => $this->podcast->id,
--- a/modules/Admin/Controllers/SchedulerController.php
+++ b/modules/Admin/Controllers/SchedulerController.php
@ -81,6 +81,7 @@ class SchedulerController extends Controller
                        'job_ended_at' => Time::now(),
                    ]);
                }
+
                $clipModel->clearVideoClipCache($scheduledClip->id);
            } catch (Exception $exception) {
                (new ClipModel())->update($scheduledClip->id, [
--- a/modules/Admin/Controllers/SettingsController.php
+++ b/modules/Admin/Controllers/SettingsController.php
@ -179,6 +179,7 @@ class SettingsController extends BaseController
            (new EpisodeCommentModel())->resetLikesCount();
            (new EpisodeCommentModel())->resetRepliesCount();
        }
+
        helper('media');

        if ($this->request->getPost('rewrite_media') === 'yes') {
--- a/modules/Admin/Controllers/SoundbiteController.php
+++ b/modules/Admin/Controllers/SoundbiteController.php
@ -144,7 +144,7 @@ class SoundbiteController extends BaseController
    {
        $soundbite = (new ClipModel())->getSoundbiteById((int) $soundbiteId);

-        if ($soundbite === null) {
+        if (! $soundbite instanceof Soundbite) {
            throw PageNotFoundException::forPageNotFound();
        }

--- a/modules/Admin/Controllers/VideoClipsController.php
+++ b/modules/Admin/Controllers/VideoClipsController.php
@ -197,7 +197,7 @@ class VideoClipsController extends BaseController
    {
        $videoClip = (new ClipModel())->getVideoClipById((int) $videoClipId);

-        if ($videoClip === null) {
+        if (! $videoClip instanceof VideoClip) {
            throw PageNotFoundException::forPageNotFound();
        }

@ -214,7 +214,7 @@ class VideoClipsController extends BaseController
    {
        $videoClip = (new ClipModel())->getVideoClipById((int) $videoClipId);

-        if ($videoClip === null) {
+        if (! $videoClip instanceof VideoClip) {
            throw PageNotFoundException::forPageNotFound();
        }