Merge branch 'master' into buid/5.14.0

ChurchCRM · Feb 3, 2025 · f6b82f6 · f6b82f6
2 parents 441b438 + 27372c7
commit f6b82f6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/ChurchCRM/utils/InputUtils.php b/src/ChurchCRM/utils/InputUtils.php
@@ -43,6 +43,11 @@ public static function filterString($sInput): string
         return strip_tags(trim($sInput));
     }
 
+    public static function filterSanitizeString($sInput): string
+    {
+        return filter_var(trim($sInput), FILTER_SANITIZE_SPECIAL_CHARS);
+    }
+
     public static function filterHTML($sInput): string
     {
         return strip_tags(trim($sInput), self::$AllowedHTMLTags);

diff --git a/src/session/index.php b/src/session/index.php
@@ -7,6 +7,7 @@
 use ChurchCRM\Authentication\Requests\LocalUsernamePasswordRequest;
 use ChurchCRM\dto\SystemURLs;
 use ChurchCRM\Slim\Middleware\VersionMiddleware;
+use ChurchCRM\Utils\InputUtils;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Slim\Factory\AppFactory;
@@ -80,8 +81,8 @@ function beginSession(Request $request, Response $response, array $args): Respon
     $renderer = new PhpRenderer('templates/');
 
     // Determine if appropriate to pre-fill the username field
-    $pageArgs['prefilledUserName'] = $request->getQueryParams()['username'] ??
-        $request->getServerParams()['username'] ??
+    $pageArgs['prefilledUserName'] = InputUtils::filterSanitizeString($request->getQueryParams()['username']) ??
+    InputUtils::filterSanitizeString($request->getServerParams()['username']) ??
         '';
 
     return $renderer->render($response, 'begin-session.php', $pageArgs);