improv. fix xss on admin panel (#290)

Author: nivcoo

app/Controller/AppController.php

@@ -36,7 +36,7 @@
 class AppController extends Controller
 {
 
-    public $components = ['Util', 'Module', 'Session', 'Cookie', 'Security', 'EyPlugin', 'Lang', 'Theme', 'History', 'Statistics', 'Permissions', 'Update', 'Server'];
+    public $components = ['Util', 'Module', 'Session', 'Cookie', 'Security', 'EyPlugin', 'Lang', 'Theme', 'History', 'Statistics', 'Permissions', 'Update', 'Server', 'EySecurity'];
     public $helpers = ['Session'];
 
     public $view = 'Theme';
@@ -46,7 +46,10 @@ class AppController extends Controller
 
     public function beforeFilter()
     {
-
+        // find any xss vulnability on request data
+        $datas = $this->request->data;
+        $this->request->data = $this->xssProtection($datas);
+        $this->request->data["xss"] = $datas;
         // lowercase to avoid errors when the controller is called with uppercase
         $this->params['controller'] = strtolower($this->params['controller']);
         $this->params['action'] = strtolower($this->params['action']);
@@ -110,6 +113,15 @@ public function beforeFilter()
 
     }
 
+    public function xssProtection($array)
+    {
+        foreach ($array as $key => $value) {
+            $array[$key] = is_array($value) ? $this->xssProtection($value) : $this->EySecurity->xssProtection($value);
+        }
+        return $array;
+
+    }
+
     public function __initConfiguration()
     {
         // configuration générale

app/Controller/ConfigurationController.php

@@ -69,6 +69,8 @@ public function admin_index()
                     ['password_hash' => null]
                 );
 
+                $data['end_layout_code'] = $data['xss']['end_layout_code'];
+
                 $this->Configuration->read(null, 1);
                 $this->Configuration->set($data);
                 $this->Configuration->save();