From bc67744e6588a73c53b88dedc6f282c7014f07a2 Mon Sep 17 00:00:00 2001
From: Fredrick Peter <tamdevelopers@gmail.com>
Date: Mon, 8 May 2023 01:12:54 +0100
Subject: [PATCH] RemoveTags, Increment, Decrement Upgrade

---
 README.md                     | 56 +++++++++++------------------------
 composer.json                 |  5 ++--
 src/Capsule/Manager.php       |  2 +-
 src/Query/Builder.php         | 31 ++++++++++++-------
 src/Query/MySqlExec.php       | 13 ++++++--
 src/Query/MySqlProperties.php |  5 ++++
 src/Traits/InsertionTrait.php |  2 +-
 7 files changed, 59 insertions(+), 55 deletions(-)

diff --git a/README.md b/README.md
index 8d81c1d..4b0be7b 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,6 @@ Having been introduced to learning Laravel Framework; Over the past yr(s), Comin
 was pretty tough. So i decided to create a much more easier way of communicating with Database, using native `PHP PDO:: Driver`.
 
 
-
 * [Requirements](#requirements)
 * [Installation](#installation)
 * [Instantiate](#instantiate)
@@ -104,7 +103,7 @@ Prior to installing `php-orm-database` get the [Composer](https://getcomposer.or
 **Step 1** — update your `composer.json`:
 ```composer.json
 "require": {
-    "peterson/php-orm-database": "^3.1.4" 
+    "peterson/php-orm-database": "^3.1.5" 
 }
 ```
 
@@ -183,8 +182,6 @@ $db->table('users')
 </details>
 
 ## More Database Connection Keys
-<details><summary>Read more...</summary>
-
 - All available connection keys
     - The DRIVER_NAME uses only `mysql`
         - No other connection type is supported for now.
@@ -201,7 +198,6 @@ $db->table('users')
 | DB_PORT           |  int      |  `3306`               |
 | DB_CHARSET        |  string   |  `utf8mb4_unicode_ci` |
 | DB_COLLATION      |  string   |  `utf8mb4`            |
-</details>
 
 ## Usage 
 - All Methods of usage 
@@ -279,7 +275,6 @@ $db->table('users')
 ```
 
 ### Increment
-<details><summary>Read more...</summary>
 
 - Takes three parameter
     - Only the first param is required
@@ -301,25 +296,20 @@ $db->table('users')
 $db->table('users')
     ->where('user_id', 10000001)
     ->increment('wallet_bal', 10);
-    
--- Query
-UPDATE `users` 
-    SET wallet_bal=wallet_bal+:10 
-    WHERE user_id=:user_id
 ```
 
 - You can also pass in a second or third parameter to update additional columns
 ```
 $db->table('users')
     ->where('user_id', 10000001)
-    ->increment('wallet_bal', 10, [
+    ->increment('wallet_bal', 100.23, [
         'first_name' => 'F. Peterson',
         'status'     => 1,
     ]);
 
 -- Query
 UPDATE `users` 
-    SET wallet_bal=wallet_bal+:10, first_name=:first_name, status=:status
+    SET wallet_bal=wallet_bal + :wallet_bal, first_name=:first_name, status=:status
     WHERE user_id=:user_id
 ```
 
@@ -332,7 +322,6 @@ $db->table('users')
         'status'     => 1,
     ]);
 ```
-</details>
 
 ### Decrement
 - Same as Increment
@@ -368,26 +357,23 @@ SELECT count(*) FROM users WHERE status=:status
 </details>
 
 ### Remove Tags
-<details><summary>Read more...</summary>
-
-- Helps against `XSS attacks` 
-    - By default we remove-prevention of `XSS attacks` as this should already been handled by Forms Validation before sending into the Database
-        -> Applies to `insert` `update` `increment` `decrement` methods.
+- Takes one param as `bool` Default is `false`
+    - Helps against `XSS attacks` 
+        - By default we did not handle `XSS attacks`. As we assume this should be done by `Forms Validation` before sending to Database
+            -> Applies to `insert` `update` `increment` `decrement` methods.
 
 - 1 usage
 ```
 $db->table('post')
-    ->removeTags()
+    ->removeTags(true)
     ->insert([
-        'description' => '<script> alert(2); console.log('Blossom');</script>',
+        'description' => "<script> alert(2); console.log('Blossom');</script>",
         'user_id' => 
     ])
 
--- Query
-The value should be 'empty' if found as an attack
-Now the method automatically apply strict method of cleaning each values
+- If param set to true, then this will allow all possible tags
+- If false, it will allow few supported HTML5 tags
 ```
-</details>
 
 ## Fetching Data
 
@@ -454,8 +440,6 @@ SELECT * FROM `users`
 ```
 
 ### Exists
-<details><summary>Read more...</summary>
-
 ```
 $db->table('users')
     ->where('email', 'email@gmail.com')
@@ -465,7 +449,6 @@ $db->table('users')
 -- Query
 SELECT EXISTS(SELECT 1 FROM `users` WHERE email=:email OR name=:name) as `exists`
 ```
-</details>
 
 ### Table Exist
 - Takes param as `string` `$table_name`
@@ -476,11 +459,11 @@ $db->tableExist('users');
 ## Collections
 - You can directly use `methods` of `Collections Instance` on any of the below
     - All the below `methods` are received by Collection `class`
-        1. get()
-        2. first()
-        3. firstOrFail()
-        4. insert()
-        5. insertOrIgnore()
+    1. get()
+    2. first()
+    3. firstOrFail()
+    4. insert()
+    5. insertOrIgnore()
 
 
 
@@ -660,7 +643,6 @@ $users->showing([
 - Multiple clause
 
 ### Raw
-<details><summary>Read more...</summary>
 - Allows you to use direct raw `SQL query syntax`
 
 ```
@@ -670,7 +652,7 @@ $date = strtotime('next week');
 $db->table("tb_wallet")
     ->raw("date >= $date")
     ->raw("NOW() > created_at")
-    ->raw("YEAR(created_at) = '2022'")
+    ->raw("YEAR(created_at) = 2022")
     ->where('email', 'email@gmail.com')
     ->limit(10)
     ->random()
@@ -681,12 +663,10 @@ $db->table("tb_wallet")
 SELECT * FROM `tb_wallet` 
         WHERE date >= 1681178855 
         AND NOW() > created_at 
-        AND YEAR(created_at) = '2022' 
+        AND YEAR(created_at) = 2022
         AND email=:email
         ORDER BY RAND() LIMIT 10
 ```
-</details>
-
 
 ### Select
 - Used to select needed columns from database
diff --git a/composer.json b/composer.json
index 0c845b0..db7fdd0 100644
--- a/composer.json
+++ b/composer.json
@@ -19,7 +19,8 @@
         "php": ">=7.2",
         "vlucas/phpdotenv": "^5.3",
         "yidas/pagination": "^1.0",
-        "symfony/var-dumper": "^6.2.8"
+        "symfony/var-dumper": "^6.2.8",
+        "ezyang/htmlpurifier": "^4.16.0"
     },
     "autoload": {
         "files": [
@@ -37,7 +38,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-main": "3.1.4-dev"
+            "dev-main": "3.1.5-dev"
         }
     },
     "minimum-stability": "stable",
diff --git a/src/Capsule/Manager.php b/src/Capsule/Manager.php
index d0f2f19..bf50fde 100644
--- a/src/Capsule/Manager.php
+++ b/src/Capsule/Manager.php
@@ -353,7 +353,7 @@ static public function saveTempIncrementQuery($data = [], $type = true)
             $sign = '-'; //decrement
         }
 
-        $tempIncrementQuery = "{$data['column']}={$data['column']}{$sign}:{$data['count']}";
+        $tempIncrementQuery = "{$data['column']}={$data['column']} {$sign} :{$data['column']}";
         if(count($data['param']) > self::COUNT){
             $tempIncrementQuery .= ",";
         }
diff --git a/src/Query/Builder.php b/src/Query/Builder.php
index 36c2c9f..f4f1828 100644
--- a/src/Query/Builder.php
+++ b/src/Query/Builder.php
@@ -4,6 +4,10 @@
 
 namespace builder\Database\Query;
 
+use Config;
+use Exception;
+use HTMLPurifier;
+
 class Builder extends MySqlExec{
     
     /**
@@ -661,18 +665,25 @@ public function whitelistInput(mixed $input)
             }
             
             // Convert input to string
-            $filteredInput = (string) $input;
-
-            // Remove any script or style tags and their contents
-            $filteredInput = preg_replace('/<(script|style)[^>]*?>.*?<\/\\1>/si', '', $filteredInput);
-            
-            // Allow only letters, digits, spaces, and common punctuation marks
-            $filteredInput = preg_replace('/[^\w\s.,!?():;\'"`-]/u', '', $filteredInput);
+            $html = (string) $input;
+
+            $allowedTags = null;
+            if ($this->allowAllTags) {
+                // Allow all HTML tags except those seen as attacks
+                $allowedTags = null;
+            } else {
+                // Allow only basic tags
+                $allowedTags = '<a><abbr><address><area><article><aside><audio><b><base><bdi><bdo><blockquote><body><br><button><canvas><caption><cite><code><col><colgroup><data><datalist><dd><del><details><dfn><dialog><div><dl><dt><em><embed><fieldset><figcaption><figure><footer><form><h1><h2><h3><h4><h5><h6><head><header><hr><html><i><iframe><img><input><ins><kbd><label><legend><li><link><main><map><mark><meta><meter><nav><noscript><object><ol><optgroup><option><output><p><param><picture><pre><progress><q><rp><rt><ruby><s><samp><script><section><select><small><source><span><strong><style><sub><summary><sup><svg><table><tbody><td><template><textarea><tfoot><th><thead><time><title><tr><track><u><ul><var><video><wbr>';
+            }
             
-            // Remove any extra whitespace
-            $filteredInput = trim(preg_replace('/\s+/u', ' ', $filteredInput));
+            // Use HTMLPurifier to remove any other potential XSS attacks
+            $config = \HTMLPurifier_Config::createDefault();
+            $config->set('HTML.Allowed', $allowedTags);
             
-            return $filteredInput;
+            // purify html
+            $purifier   = new HTMLPurifier($config);
+            $cleanHtml  = $purifier->purify($html);
+            return $cleanHtml;
         }
         
         return $input;
diff --git a/src/Query/MySqlExec.php b/src/Query/MySqlExec.php
index 991de9a..b4cad3e 100644
--- a/src/Query/MySqlExec.php
+++ b/src/Query/MySqlExec.php
@@ -367,13 +367,19 @@ protected function allowCount()
 
     /**
      * Remove Tags Found as an XSS-Attack
+     * @param bool $tag\Default true
+     * - If set to true, then this will allow all possible tags 
+     * - If false, it will allow few supported HTML5 tags
+     * Apart from tags seen as an attack
      *
      * @return object\builder\Database\removeTags
      */
-    public function removeTags()
+    public function removeTags(?bool $tag = true)
     {
         $this->removeTags = true;
-
+        if(!$tag){
+            $this->allowAllTags = false;
+        }
         return $this;
     }
 
@@ -567,6 +573,7 @@ protected function closeQuery()
         $this->countQuery           = false;
         $this->modelQuery           = false;
         $this->removeTags           = false;
+        $this->allowAllTags         = true;
         $this->runtime              = 0.00;
         $this->timer                = [
             'start'   => 0.00,
@@ -575,7 +582,7 @@ protected function closeQuery()
         ];
     }
 
-     /**
+    /**
      * Get last insert ID
      * @param bool $type true or false
      * If true then it return an OBJECT data
diff --git a/src/Query/MySqlProperties.php b/src/Query/MySqlProperties.php
index 9f5ff64..91d0302 100644
--- a/src/Query/MySqlProperties.php
+++ b/src/Query/MySqlProperties.php
@@ -153,6 +153,11 @@ trait MySqlProperties{
      */
     protected $removeTags = false;
 
+    /**
+     * @var bool
+     */
+    protected $allowAllTags = true;
+
     /**
      * @var array
      */
diff --git a/src/Traits/InsertionTrait.php b/src/Traits/InsertionTrait.php
index ced3b36..7c5d25f 100644
--- a/src/Traits/InsertionTrait.php
+++ b/src/Traits/InsertionTrait.php
@@ -117,7 +117,7 @@ protected function incrementInsertionQuery(?array $temp = [])
         $this->query($this->query);
 
         // bind increment data
-        $this->bind(":{$temp['count']}", $temp['count']);
+        $this->bind(":{$temp['column']}", $temp['count']);
 
         // bind query for param
         foreach($temp['param'] as $key => $value){