gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-09 21:16:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

prevent xss attach

Browse Source
This commit is contained in:
Uwe Steinmann 2023-10-27 12:51:21 +02:00
parent f562a1bbed
commit 0aedf55ec6
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
views/bootstrap/class.Search.php
View File

@ -878,7 +878,7 @@ $(document).ready(function() {
foreach($values as $v=>$c) { foreach($values as $v=>$c) {
$uu = $dms->getUserByLogin($v); $uu = $dms->getUserByLogin($v);
if($uu) { if($uu) {
$option = array($uu->getId(), $v); $option = array($uu->getId(), htmlspecialchars($v));
if(isset(${$facetname}) && in_array($uu->getId(), ${$facetname})) if(isset(${$facetname}) && in_array($uu->getId(), ${$facetname}))
$option[] = true; $option[] = true;
else else
@ -891,7 +891,7 @@ $(document).ready(function() {
foreach($values as $v=>$c) { foreach($values as $v=>$c) {
$cat = $dms->getDocumentCategoryByName($v); $cat = $dms->getDocumentCategoryByName($v);
if($cat) { if($cat) {
$option = array($cat->getId(), $v); $option = array($cat->getId(), htmlspecialchars($v));
if(isset(${$facetname}) && in_array($cat->getId(), ${$facetname})) if(isset(${$facetname}) && in_array($cat->getId(), ${$facetname}))
$option[] = true; $option[] = true;
else else
@ -914,7 +914,7 @@ $(document).ready(function() {
/* Do not even create a list of options, because it isn't used */ /* Do not even create a list of options, because it isn't used */
} else { } else {
foreach($values as $v=>$c) { foreach($values as $v=>$c) {
$option = array($v, $v); $option = array($v, htmlspecialchars($v));
if(isset(${$facetname}) && in_array($v, ${$facetname})) if(isset(${$facetname}) && in_array($v, ${$facetname}))
$option[] = true; $option[] = true;
else else
@ -1122,7 +1122,7 @@ $(document).ready(function() {
else else
$fu = $dms->getUserByLogin($v); $fu = $dms->getUserByLogin($v);
if($fu) if($fu)
$oldtransval[] = $fu->getLogin(); $oldtransval[] = htmlspecialchars($fu->getLogin());
} }
break; break;
case 'status': case 'status':
@ -1290,7 +1290,7 @@ $(document).ready(function() {
case 'owner': case 'owner':
foreach($values as $v=>$c) { foreach($values as $v=>$c) {
if($fu = $dms->getUserByLogin($v)) if($fu = $dms->getUserByLogin($v))
$menuitems[] = array('label'=>$fu->getLogin(), 'link'=>$newrequest->getRequestUri().'&'.$facetname.'[]='.$fu->getId(), 'badge'=>$c); $menuitems[] = array('label'=>htmlspecialchars($fu->getLogin()), 'link'=>$newrequest->getRequestUri().'&'.$facetname.'[]='.$fu->getId(), 'badge'=>$c);
} }
break; break;
default: default: