From 133da98dfc03d69684c760af98a18174f3c26d02 Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 4 Jun 2013 15:34:36 -0700
Subject: [PATCH] Move all escaping from Ajax callback to api CRM-12765

---
 CRM/Contact/Page/AJAX.php | 67 +++++++++++++++------------------------
 api/v3/Contact.php        | 11 ++++---
 2 files changed, 32 insertions(+), 46 deletions(-)

diff --git a/CRM/Contact/Page/AJAX.php b/CRM/Contact/Page/AJAX.php
index d760557158..e55004fc78 100644
--- a/CRM/Contact/Page/AJAX.php
+++ b/CRM/Contact/Page/AJAX.php
@@ -44,17 +44,22 @@ class CRM_Contact_Page_AJAX {
 
     $params = array('version' => 3, 'check_permissions' => TRUE);
 
-    if ($context = CRM_Utils_Array::value('context', $_GET)) {
-      $params['context'] = CRM_Utils_Type::escape($_GET['context'], 'String');
-    }
-
-    if (!empty($_GET['s'])) {
-      $params['name'] = $_GET['s'];
+    // String params
+    // FIXME: param keys don't match input keys, using this array to translate
+    $whitelist = array(
+      's' => 'name',
+      'fieldName' => 'field_name',
+      'tableName' => 'table_name',
+      'context' => 'context',
+    );
+    foreach ($whitelist as $key => $param) {
+      if (!empty($_GET[$key])) {
+        $params[$param] = $_GET[$key];
+      }
     }
 
     //CRM-10687: Allow quicksearch by multiple fields
-    if (!empty($_GET['fieldName'])) {
-      $params['field_name'] = $_GET['fieldName'];
+    if (!empty($params['field_name'])) {
       if ($params['field_name'] == 'phone_numeric') {
         $params['name'] = preg_replace('/[^\d]/', '', $params['name']);
       }
@@ -63,39 +68,19 @@ class CRM_Contact_Page_AJAX {
       }
     }
 
-    if (!empty($_GET['tableName'])) {
-      $params['table_name'] = $_GET['tableName'];
-    }
-
-    $params['limit'] = 10;
-    if (CRM_Utils_Array::value('limit', $_GET)) {
-      $params['limit'] = CRM_Utils_Type::escape($_GET['limit'], 'Positive');
-    }
-
-    $orgId = $employee_id = $cid = $id = $context = $rel = NULL;
-    $params['org'] = CRM_Utils_Array::value('org', $_GET);
-    if (CRM_Utils_Array::value('id', $_GET)) {
-      $params['orgId'] = CRM_Utils_Type::escape($_GET['id'], 'Positive');
-    }
-
-    if (CRM_Utils_Array::value('employee_id', $_GET)) {
-      $params['employee_id'] = CRM_Utils_Type::escape($_GET['employee_id'], 'Positive');
-    }
-
-    if (CRM_Utils_Array::value('cid', $_GET)) {
-      $params['cid'] = CRM_Utils_Type::escape($_GET['cid'], 'Positive');
-    }
-
-    if (CRM_Utils_Array::value('id', $_GET)) {
-      $params['id'] = CRM_Utils_Type::escape($_GET['id'], 'Positive');
-    }
-
-    if (isset($_GET['rel'])) {
-      $params['rel'] = $_GET['rel'];
-    }
-
-    if (CRM_Utils_Array::value('cmsuser', $_GET)) {
-      $params['cmsuser'] = CRM_Utils_Type::escape($_GET['cmsuser'], 'Boolean');
+    // Numeric params
+    $whitelist = array(
+      'limit',
+      'org',
+      'employee_id',
+      'cid',
+      'id',
+      'cmsuser',
+    );
+    foreach ($whitelist as $key) {
+      if (!empty($_GET[$key]) && is_numeric($_GET[$key])) {
+        $params[$key] = $_GET[$key];
+      }
     }
 
     $result = civicrm_api('Contact', 'getquick', $params);
diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index 93050462b5..0a51db9865 100644
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -604,7 +604,7 @@ function civicrm_api3_contact_getquick($params) {
         if ($value != 'id') {
           $suffix = 'cc';
           if (!empty($params['field_name']) && $params['field_name'] == 'value') {
-            $suffix = CRM_Utils_Array::value('table_name', $params, 'cc');
+            $suffix = CRM_Utils_String::munge(CRM_Utils_Array::value('table_name', $params, 'cc'));
           }
           $actualSelectElements[] = $select[] = $suffix . '.' . $value;
         }
@@ -626,7 +626,8 @@ function civicrm_api3_contact_getquick($params) {
     $selectAliases = ", $selectAliases";
   }
   $from = implode(' ', $from);
-  $limit = CRM_Utils_Array::value('limit', $params, 10);
+  $limit = (int) CRM_Utils_Array::value('limit', $params);
+  $limit = $limit > 0 ? $limit : 10;
 
   // add acl clause here
   list($aclFrom, $aclWhere) = CRM_Contact_BAO_Contact_Permission::cacheClause('cc');
@@ -643,7 +644,7 @@ function civicrm_api3_contact_getquick($params) {
     $currEmpDetails = array();
     if (CRM_Utils_Array::value('employee_id', $params)) {
       if ($currentEmployer = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact',
-          CRM_Utils_Array::value('employee_id', $params),
+          (int) $params['employee_id'],
           'employer_id'
         )) {
         if ($config->includeWildCardInName) {
@@ -768,8 +769,8 @@ LIMIT    0, {$limit}
   // send query to hook to be modified if needed
   CRM_Utils_Hook::contactListQuery($query,
     $name,
-    CRM_Utils_Array::value('context', $params),
-    CRM_Utils_Array::value('id', $params)
+    empty($params['context']) ? NULL : CRM_Utils_Type::escape($params['context'], 'String'),
+    empty($params['id']) ? NULL : $params['id']
   );
 
   $dao = CRM_Core_DAO::executeQuery($query);
-- 
2.25.1