gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-09-08 10:59:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix potential XSS attack in many fields of settings

Browse Source
This commit is contained in:
Uwe Steinmann 2025-07-24 20:43:29 +02:00
parent 698c82b806
commit ae8b383def
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -15,6 +15,7 @@
- show how many users have to review/approve a document and how many did - show how many users have to review/approve a document and how many did
already (in menu task list and document list) already (in menu task list and document list)
- break long original file names on viewDocument page - break long original file names on viewDocument page
- fix potential XSS attack in many fields of settings
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
Changes in version 5.1.40 Changes in version 5.1.40

2
views/bootstrap/class.Settings.php
View File

@ -151,7 +151,7 @@ class SeedDMS_View_Settings extends SeedDMS_Theme_Style {
$value = $settings->{"_".$name}; $value = $settings->{"_".$name};
echo " <td>"; echo " <td>";
if($this->isVisible($name)) if($this->isVisible($name))
$this->showTextField($name, $value, ($type=='password' || $type=='textarea' ? $type : ''), $placeholder ? $placeholder : getMLText($title."_placeholder", [], "")); $this->showTextField($name, htmlspecialchars($value), ($type=='password' || $type=='textarea' ? $type : ''), $placeholder ? $placeholder : getMLText($title."_placeholder", [], ""));
else else
echo getMLText('settings_conf_field_not_editable'); echo getMLText('settings_conf_field_not_editable');
echo "</td>\n"; echo "</td>\n";