From 8ee84b67eca8a8178fec498188d968d95212e932 Mon Sep 17 00:00:00 2001
From: Maurício Meneghini Fauth <mauricio@mfauth.net>
Date: Sun, 12 Jan 2025 22:39:06 -0300
Subject: Fix XSS vulnerability on Insert page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Maurício Meneghini Fauth <mauricio@mfauth.net>
---
 libraries/classes/InsertEdit.php |  4 ++--
 psalm-baseline.xml               |  2 +-
 test/classes/InsertEditTest.php  | 14 ++++++++++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/libraries/classes/InsertEdit.php b/libraries/classes/InsertEdit.php
index 3e6ab3e411..72971c0b88 100644
--- a/libraries/classes/InsertEdit.php
+++ b/libraries/classes/InsertEdit.php
@@ -1124,8 +1124,8 @@ private function getSpecialCharsAndBackupFieldForInsertingMode(
         } elseif ($trueType === 'binary' || $trueType === 'varbinary') {
             $specialChars = bin2hex($column['Default']);
         } elseif (substr($trueType, -4) === 'text') {
-            $textDefault = substr($column['Default'], 1, -1);
-            $specialChars = stripcslashes($textDefault !== false ? $textDefault : $column['Default']);
+            $textDefault = (string) substr($column['Default'], 1, -1);
+            $specialChars = htmlspecialchars(stripcslashes($textDefault !== '' ? $textDefault : $column['Default']));
         } else {
             $specialChars = htmlspecialchars($column['Default']);
         }
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
index a07466f7bf..4f053c0a6a 100644
--- a/psalm-baseline.xml
+++ b/psalm-baseline.xml
@@ -8183,7 +8183,7 @@
       <code>$specialChars</code>
       <code>$specialChars</code>
       <code>$specialCharsEncoded</code>
-      <code>$textDefault !== false ? $textDefault : $column['Default']</code>
+      <code>$textDefault !== '' ? $textDefault : $column['Default']</code>
       <code>$transformationPlugin-&gt;getScripts()</code>
       <code>$transformation[$type . '_options'] ?? ''</code>
       <code>$trueType</code>
diff --git a/test/classes/InsertEditTest.php b/test/classes/InsertEditTest.php
index 6bbe885c12..c3f8234586 100644
--- a/test/classes/InsertEditTest.php
+++ b/test/classes/InsertEditTest.php
@@ -1714,9 +1714,9 @@ public function providerForTestGetSpecialCharsAndBackupFieldForInsertingMode():
                 [
                     false,
                     '"lorem\"ipsem"',
-                    'lorem"ipsem',
+                    'lorem&quot;ipsem',
                     '',
-                    'lorem"ipsem',
+                    'lorem&quot;ipsem',
                 ],
             ],
             'varchar with html special chars' => [
@@ -1732,6 +1732,16 @@ public function providerForTestGetSpecialCharsAndBackupFieldForInsertingMode():
                     'hello world&lt;br&gt;&lt;b&gt;lorem&lt;/b&gt; ipsem',
                 ],
             ],
+            'text with html special chars' => [
+                ['True_Type' => 'text', 'Default' => '\'</textarea><script>alert(1)</script>\''],
+                [
+                    false,
+                    '\'</textarea><script>alert(1)</script>\'',
+                    '&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;',
+                    '',
+                    '&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;',
+                ],
+            ],
         ];
     }
 
-- 
2.30.2