Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

CHANGELOG

@@ -309,6 +309,9 @@
 - documents in certain folders can be excluded from dashboard, could be useful
   for folders containing archived documents
 - migrate from Slim 3 to Slim 4 (check for extension updates)
+- fix reloading more entries in list of folders/documents at end of page if
+  maxItemsPerPage is set
+- prevent xss attack
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.36

restapi/.htaccess

@@ -2,7 +2,10 @@ RewriteEngine on
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
 <Files ~ "^swagger\.yaml">
+# Apache module
 SetHandler application/x-httpd-php
+# PHP FPM on Debian
+#SetHandler "proxy:unix:/var/run/php/php8.2-fpm.sock|fcgi://localhost/"
 <IfModule mod_headers.c>
 Header set Access-Control-Allow-Origin "*"
 Header set Access-Control-Allow-Methods "GET"

restapi/swagger.yaml

@@ -13,9 +13,6 @@ info:
   license:
     name: "Apache 2.0"
     url: "http://www.apache.org/licenses/LICENSE-2.0.html"
-servers:
-  - url:
-    description: Current host server
 host: "<?php echo $_SERVER['HTTP_HOST']; ?>"
 basePath: "<?php echo $settings->_httpRoot; ?>restapi/index.php"
 tags:
@@ -1510,7 +1507,7 @@ paths:
       produces:
       - "application/json"
       consumes:
-      - "application/x-www-form-urlencoded"
+      - "multipart/form-data"
       parameters:
       - name: "id"
         in: "path"

views/bootstrap/class.Bootstrap.php

@@ -3416,7 +3416,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 				$content .= "<br />";
 				foreach($categories as $category) {
 					$color = substr(md5($category->getName()), 0, 6);
-					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
+					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
 				}
 			}
 			if(!empty($extracontent['bottom_title']))

views/bootstrap/class.EditDocument.php

@@ -139,7 +139,7 @@ $(document).ready( function() {
 			if(!$nodocumentformfields || !in_array('categories', $nodocumentformfields)) {
 				$options = array();
 				foreach($categories as $category) {
-					$options[] = array($category->getID(), $category->getName(), in_array($category, $document->getCategories()));
+					$options[] = array($category->getID(), htmlspecialchars($category->getName()), in_array($category, $document->getCategories()));
 				}
 				$this->formField(
 					getMLText("categories"),

views/bootstrap/class.Search.php

@@ -369,9 +369,9 @@ $(document).ready(function() {
 				}
 			}
 			if($removecategory) {
-				$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
+				$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
 			} else {
-				$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
+				$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
 			}
 		} else {
 		}
@@ -719,7 +719,7 @@ $(document).ready(function() {
 		$allcategories = $dms->getDocumentCategories();
 		if($allcategories) {
 			foreach($allcategories as $acategory) {
-				$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
+				$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
 			}
 			$this->formField(
 				getMLText("categories"),
@@ -966,7 +966,7 @@ $(document).ready(function() {
 				$options = array();
 				$allcategories = $dms->getDocumentCategories();
 				foreach($allcategories as $acategory) {
-					$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
+					$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
 				}
 				$this->formField(
 					getMLText("category_filter"),

views/bootstrap/class.ViewFolder.php

@@ -156,12 +156,12 @@ function loadMoreObjects(element, limit, orderby) {
 	element.prop("disabled",true);
 	var folder = element.data('folder')
 	var offset = element.data('offset')
-//	var limit = element.data('limit')
 	url = seeddms_webroot+"out/out.ViewFolder.php?action=entries&folderid="+folder+"&offset="+offset+"&limit="+limit+"&orderby="+orderby;
 	$.ajax({
 		type: 'GET',
 		url: url,
 		dataType: 'json',
+		async: false,
 		success: function(data){
 			$('#viewfolder-table').append(data.html);
 			if(data.count <= 0) {
@@ -176,7 +176,7 @@ function loadMoreObjects(element, limit, orderby) {
 	});
 }
 $(window).scroll(function() {
-	if($(window).scrollTop() + $(window).height() == $(document).height()) {
+	if($(window).scrollTop() + $(window).height() + 3 >= $(document).height()) {
 		loadMoreObjects($('#loadmore'), $('#loadmore').data('limit'), $('#loadmore').data('orderby'));
 	}
 });

views/bootstrap4/class.Bootstrap4.php

@@ -3389,7 +3389,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 				$content .= "<br />";
 				foreach($categories as $category) {
 					$color = substr(md5($category->getName()), 0, 6);
-					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
+					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
 				}
 			}
 			if(!empty($extracontent['bottom_title']))