From 33ac88dd6cca16615d9ac0dec2d8711fc1c41f4c Mon Sep 17 00:00:00 2001
From: Robbie Antenesse <dev@alamantus.com>
Date: Tue, 21 May 2019 16:18:44 -0600
Subject: [PATCH] Strip tags before parsing json in api request

---
 src/php/api/index.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/php/api/index.php b/src/php/api/index.php
index 40ee1b8..a9e6cff 100644
--- a/src/php/api/index.php
+++ b/src/php/api/index.php
@@ -3,8 +3,17 @@ require_once('./Response.php');
 require_once('./User.php');
 
 $inputJSON = file_get_contents('php://input');
+$inputJSON = strip_tags($inputJSON);
 $request= json_decode($inputJSON, true);
 
+if (!$request) {
+  // If malformed/unparseable JSON, fail.
+  return Response::json(array(
+    'data' => 'Malformed request data',
+    'error' => true,
+  ), 400);
+}
+
 $action = isset($request['action']) ? $request['action'] : '';
 $token = isset($_COOKIE['token']) ? $_COOKIE['token'] : false;