ORGANISATION-KA-INTERNATIONALE/kaubuntu.re
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix XSS vulnerabilities with proper output escaping

Browse Source
This commit is contained in:
Cédric Famibelle-Pronzola
2025-07-17 09:58:19 +04:00
parent 5be21cabcf
commit b2c9ae8154
2 changed files with 30 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ajax/load-more-videos.php
+16 -2
View File
@@ -9,6 +9,20 @@ if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQ
exit; exit;
} }
// Vérifier l'origine de la requête
if (!validateAjaxOrigin()) {
http_response_code(403);
echo json_encode(['error' => 'Origine non autorisée']);
exit;
}
// Vérifier le token CSRF
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
http_response_code(403);
echo json_encode(['error' => 'Token CSRF invalide']);
exit;
}
// Récupérer les paramètres // Récupérer les paramètres
$type = isset($_GET['type']) ? $_GET['type'] : ''; $type = isset($_GET['type']) ? $_GET['type'] : '';
$page = isset($_GET['page']) ? intval($_GET['page']) : 1; $page = isset($_GET['page']) ? intval($_GET['page']) : 1;
@@ -83,9 +97,9 @@ switch ($type) {
$html = ''; $html = '';
foreach ($videos as $video) { foreach ($videos as $video) {
$html .= '<div class="video-card" data-video-id="' . $video['id'] . '">'; $html .= '<div class="video-card" data-video-id="' . htmlspecialchars($video['id']) . '">';
$html .= ' <div class="video-thumbnail">'; $html .= ' <div class="video-thumbnail">';
$html .= ' <img src="' . $video['thumbnail'] . '" alt="' . htmlspecialchars($video['title']) . '">'; $html .= ' <img src="' . htmlspecialchars($video['thumbnail']) . '" alt="' . htmlspecialchars($video['title']) . '">';
$html .= ' <div class="video-play-icon">'; $html .= ' <div class="video-play-icon">';
$html .= ' <i class="fas fa-play-circle"></i>'; $html .= ' <i class="fas fa-play-circle"></i>';
$html .= ' </div>'; $html .= ' </div>';
video.php
+14 -10
View File
@@ -4,12 +4,16 @@ require_once 'includes/config.php';
// Inclure le convertisseur Markdown // Inclure le convertisseur Markdown
require_once 'includes/lib/markdown.php'; require_once 'includes/lib/markdown.php';
// Appliquer les en-têtes de sécurité
setSecurityHeaders();
// Récupérer l'ID de la vidéo depuis l'URL // Récupérer l'ID de la vidéo depuis l'URL
$videoId = isset($_GET['id']) ? $_GET['id'] : ''; $videoId = isset($_GET['id']) ? $_GET['id'] : '';
// Vérifier si l'ID est valide // Valider l'ID de la vidéo
if (empty($videoId)) { $videoId = validateVideoId($videoId);
// Rediriger vers la page d'accueil si aucun ID n'est spécifié if ($videoId === false) {
// Rediriger vers la page d'accueil si l'ID est invalide
header('Location: index.php'); header('Location: index.php');
exit; exit;
} }
@@ -105,7 +109,7 @@ if (empty($videoData) || isset($videoData['error'])) {
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title><?php echo !empty($video['title']) ? $video['title'] . ' - ' : ''; ?>kaubuntu.re</title> <title><?php echo !empty($video['title']) ? htmlspecialchars($video['title']) . ' - ' : ''; ?>kaubuntu.re</title>
<link rel="stylesheet" href="css/styles.css"> <link rel="stylesheet" href="css/styles.css">
<link rel="stylesheet" href="css/video-page.css"> <link rel="stylesheet" href="css/video-page.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css">
@@ -157,13 +161,13 @@ if (empty($videoData) || isset($videoData['error'])) {
<div class="video-page"> <div class="video-page">
<div class="video-player-container"> <div class="video-player-container">
<div class="video-player"> <div class="video-player">
<iframe src="<?php echo $video['url']; ?>?warningTitle='0'" frameborder="0" allowfullscreen="allowfullscreen" allow="autoplay; fullscreen" title="<?php echo htmlspecialchars($video['title']); ?>"></iframe> <iframe src="<?php echo htmlspecialchars($video['url']); ?>?warningTitle='0'" frameborder="0" allowfullscreen="allowfullscreen" allow="autoplay; fullscreen" title="<?php echo htmlspecialchars($video['title']); ?>"></iframe>
</div> </div>
</div> </div>
<div class="video-content"> <div class="video-content">
<div class="video-primary-info"> <div class="video-primary-info">
<h1 class="video-title"><?php echo $video['title']; ?></h1> <h1 class="video-title"><?php echo htmlspecialchars($video['title']); ?></h1>
<div class="video-info"> <div class="video-info">
<div class="video-metadata"> <div class="video-metadata">
@@ -461,7 +465,7 @@ if (empty($videoData) || isset($videoData['error'])) {
<div class="share-link-container"> <div class="share-link-container">
<p>Lien de la vidéo :</p> <p>Lien de la vidéo :</p>
<div class="share-link-box"> <div class="share-link-box">
<input type="text" id="share-link" value="<?php echo (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; ?>" readonly> <input type="text" id="share-link" value="<?php echo htmlspecialchars((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" readonly>
<button id="copy-link-btn" class="copy-btn" title="Copier le lien"> <button id="copy-link-btn" class="copy-btn" title="Copier le lien">
<i class="fas fa-copy"></i> <i class="fas fa-copy"></i>
</button> </button>
@@ -470,7 +474,7 @@ if (empty($videoData) || isset($videoData['error'])) {
<p class="share-platforms-title">Partager sur :</p> <p class="share-platforms-title">Partager sur :</p>
<div class="share-platforms"> <div class="share-platforms">
<a href="mailto:?subject=<?php echo urlencode($video['title']); ?>&body=<?php echo urlencode($video['title'] . ' - ' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" class="share-platform-btn" title="Partager par e-mail"> <a href="mailto:?subject=<?php echo urlencode(htmlspecialchars($video['title'])); ?>&body=<?php echo urlencode(htmlspecialchars($video['title']) . ' - ' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" class="share-platform-btn" title="Partager par e-mail">
<i class="fas fa-envelope"></i> <i class="fas fa-envelope"></i>
<span>E-mail</span> <span>E-mail</span>
</a> </a>
@@ -480,12 +484,12 @@ if (empty($videoData) || isset($videoData['error'])) {
<span>Facebook</span> <span>Facebook</span>
</a> </a>
<a href="https://twitter.com/intent/tweet?text=<?php echo urlencode($video['title']); ?>&url=<?php echo urlencode((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" target="_blank" class="share-platform-btn" title="Partager sur X/Twitter"> <a href="https://twitter.com/intent/tweet?text=<?php echo urlencode(htmlspecialchars($video['title'])); ?>&url=<?php echo urlencode((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" target="_blank" class="share-platform-btn" title="Partager sur X/Twitter">
<i class="fab fa-x-twitter"></i> <i class="fab fa-x-twitter"></i>
<span>X</span> <span>X</span>
</a> </a>
<a href="https://wa.me/?text=<?php echo urlencode($video['title'] . ' - ' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" target="_blank" class="share-platform-btn" title="Partager sur WhatsApp"> <a href="https://wa.me/?text=<?php echo urlencode(htmlspecialchars($video['title']) . ' - ' . (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"); ?>" target="_blank" class="share-platform-btn" title="Partager sur WhatsApp">
<i class="fab fa-whatsapp"></i> <i class="fab fa-whatsapp"></i>
<span>WhatsApp</span> <span>WhatsApp</span>
</a> </a>