From 612f297926b15cc4769dac3e37e0d8bb7512cd2a Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 28 Jan 2025 17:37:09 +0100
Subject: [PATCH 1/6] fix loading more entries at end of page

---
 views/bootstrap/class.ViewFolder.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/views/bootstrap/class.ViewFolder.php b/views/bootstrap/class.ViewFolder.php
index 59f47ea31..f9aafe4b1 100644
--- a/views/bootstrap/class.ViewFolder.php
+++ b/views/bootstrap/class.ViewFolder.php
@@ -156,12 +156,12 @@ function loadMoreObjects(element, limit, orderby) {
 	element.prop("disabled",true);
 	var folder = element.data('folder')
 	var offset = element.data('offset')
-//	var limit = element.data('limit')
 	url = seeddms_webroot+"out/out.ViewFolder.php?action=entries&folderid="+folder+"&offset="+offset+"&limit="+limit+"&orderby="+orderby;
 	$.ajax({
 		type: 'GET',
 		url: url,
 		dataType: 'json',
+		async: false,
 		success: function(data){
 			$('#viewfolder-table').append(data.html);
 			if(data.count <= 0) {
@@ -176,7 +176,7 @@ function loadMoreObjects(element, limit, orderby) {
 	});
 }
 $(window).scroll(function() {
-	if($(window).scrollTop() + $(window).height() == $(document).height()) {
+	if($(window).scrollTop() + $(window).height() + 3 >= $(document).height()) {
 		loadMoreObjects($('#loadmore'), $('#loadmore').data('limit'), $('#loadmore').data('orderby'));
 	}
 });

From 77df75a038ced9a6ba511bae5b6d1c0ec420b120 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 28 Jan 2025 17:38:05 +0100
Subject: [PATCH 2/6] add changes for 5.1.37

---
 CHANGELOG | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index 018a877e4..7450d2774 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,8 @@
 - documents in certain folders can be excluded from dashboard, could be useful
   for folders containing archived documents
 - migrate from Slim 3 to Slim 4 (check for extension updates)
+- fix reloading more entries in list of folders/documents at end of page if
+  maxItemsPerPage is set
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.36

From be1ebce45f6c037c0f90325adde55dd06677c9ad Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 29 Jan 2025 10:23:57 +0100
Subject: [PATCH 3/6] fix errors

---
 restapi/swagger.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/restapi/swagger.yaml b/restapi/swagger.yaml
index f19c5299c..f035159fe 100644
--- a/restapi/swagger.yaml
+++ b/restapi/swagger.yaml
@@ -13,9 +13,6 @@ info:
   license:
     name: "Apache 2.0"
     url: "http://www.apache.org/licenses/LICENSE-2.0.html"
-servers:
-  - url:
-    description: Current host server
 host: "<?php echo $_SERVER['HTTP_HOST']; ?>"
 basePath: "<?php echo $settings->_httpRoot; ?>restapi/index.php"
 tags:
@@ -1510,7 +1507,7 @@ paths:
       produces:
       - "application/json"
       consumes:
-      - "application/x-www-form-urlencoded"
+      - "multipart/form-data"
       parameters:
       - name: "id"
         in: "path"

From a0df82c2e73c8139489c8480caa34271486c4552 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 29 Jan 2025 10:24:52 +0100
Subject: [PATCH 4/6] add example of PHP FPM handler

---
 restapi/.htaccess | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/restapi/.htaccess b/restapi/.htaccess
index 0151827f6..682a4d98a 100644
--- a/restapi/.htaccess
+++ b/restapi/.htaccess
@@ -2,7 +2,10 @@ RewriteEngine on
 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
 <Files ~ "^swagger\.yaml">
+# Apache module
 SetHandler application/x-httpd-php
+# PHP FPM on Debian
+#SetHandler "proxy:unix:/var/run/php/php8.2-fpm.sock|fcgi://localhost/"
 <IfModule mod_headers.c>
 Header set Access-Control-Allow-Origin "*"
 Header set Access-Control-Allow-Methods "GET"

From dd13504fefbd37e5f2b34d718183c8c53fdbfcd9 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 29 Jan 2025 10:25:26 +0100
Subject: [PATCH 5/6] fix xss attack

---
 views/bootstrap/class.Bootstrap.php    | 2 +-
 views/bootstrap/class.EditDocument.php | 2 +-
 views/bootstrap/class.Search.php       | 8 ++++----
 views/bootstrap4/class.Bootstrap4.php  | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 9b69f4f8a..7d7f4408d 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -3277,7 +3277,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 				$content .= "<br />";
 				foreach($categories as $category) {
 					$color = substr(md5($category->getName()), 0, 6);
-					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
+					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
 				}
 			}
 			if(!empty($extracontent['bottom_title']))
diff --git a/views/bootstrap/class.EditDocument.php b/views/bootstrap/class.EditDocument.php
index 48c1d47c0..5d4746e33 100644
--- a/views/bootstrap/class.EditDocument.php
+++ b/views/bootstrap/class.EditDocument.php
@@ -139,7 +139,7 @@ $(document).ready( function() {
 			if(!$nodocumentformfields || !in_array('categories', $nodocumentformfields)) {
 				$options = array();
 				foreach($categories as $category) {
-					$options[] = array($category->getID(), $category->getName(), in_array($category, $document->getCategories()));
+					$options[] = array($category->getID(), htmlspecialchars($category->getName()), in_array($category, $document->getCategories()));
 				}
 				$this->formField(
 					getMLText("categories"),
diff --git a/views/bootstrap/class.Search.php b/views/bootstrap/class.Search.php
index e602de15d..12c64f56f 100644
--- a/views/bootstrap/class.Search.php
+++ b/views/bootstrap/class.Search.php
@@ -369,9 +369,9 @@ $(document).ready(function() {
 				}
 			}
 			if($removecategory) {
-				$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
+				$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
 			} else {
-				$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
+				$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
 			}
 		} else {
 		}
@@ -710,7 +710,7 @@ $(document).ready(function() {
 		$allcategories = $dms->getDocumentCategories();
 		if($allcategories) {
 			foreach($allcategories as $acategory) {
-				$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
+				$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
 			}
 			$this->formField(
 				getMLText("categories"),
@@ -947,7 +947,7 @@ $(document).ready(function() {
 				$options = array();
 				$allcategories = $dms->getDocumentCategories();
 				foreach($allcategories as $acategory) {
-					$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
+					$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
 				}
 				$this->formField(
 					getMLText("category_filter"),
diff --git a/views/bootstrap4/class.Bootstrap4.php b/views/bootstrap4/class.Bootstrap4.php
index ebafc2524..93ffc29f2 100644
--- a/views/bootstrap4/class.Bootstrap4.php
+++ b/views/bootstrap4/class.Bootstrap4.php
@@ -3326,7 +3326,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 				$content .= "<br />";
 				foreach($categories as $category) {
 					$color = substr(md5($category->getName()), 0, 6);
-					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
+					$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
 				}
 			}
 			if(!empty($extracontent['bottom_title']))

From aa6454fce9c7bc2d6fb4a9b029e640d7db6f2684 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 29 Jan 2025 10:25:55 +0100
Subject: [PATCH 6/6] add changes for 5.1.37

---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG b/CHANGELOG
index 7450d2774..d34962e65 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,7 @@
 - migrate from Slim 3 to Slim 4 (check for extension updates)
 - fix reloading more entries in list of folders/documents at end of page if
   maxItemsPerPage is set
+- prevent xss attack
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.36