- prevent XSS attacs

out/out.FolderNotify.php

@@ -28,7 +28,7 @@ include("../inc/inc.Authentication.php");
 if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
-$folderid = $_GET["folderid"];
+$folderid = intval($_GET["folderid"]);
 $folder = $dms->getFolder($folderid);
 
 if (!is_object($folder)) {

out/out.KeywordChooser.php

@@ -34,7 +34,7 @@ foreach($allusers as $u) {
 $categories = $dms->getAllKeywordCategories($userids);
 
 if($_GET['target']) {
-	$target = $_GET['target'];
+	$target = sanitizeString($_GET['target']);
 } else {
 	$target = 'form1';
 }

out/out.LogManagement.php

@@ -90,7 +90,7 @@ if ($logname && file_exists($settings->_contentDir.$logname)){
 	UI::contentHeading(" ");
 	UI::contentContainerStart();
 	
-	UI::contentSubHeading($logname);
+	UI::contentSubHeading(sanitizeString($logname));
 
 	echo "<div class=\"logview\">";
 	echo "<pre>\n";

out/out.MoveDocument.php

@@ -28,7 +28,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.MoveFolder.php

@@ -29,7 +29,7 @@ if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET[
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
 
-$folderid = $_GET["folderid"];
+$folderid = intval($_GET["folderid"]);
 $folder = $dms->getFolder($folderid);
 
 if (!is_object($folder)) {

out/out.OverrideContentStatus.php

@@ -29,7 +29,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.RemoveArchive.php

@@ -40,8 +40,8 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveArchive.php" name="form1" method="POST">
-	<input type="Hidden" name="arkname" value="<?php echo $arkname?>">
-	<p><?php printMLText("confirm_rm_backup", array ("arkname" => $arkname));?></p>
+	<input type="Hidden" name="arkname" value="<?php echo sanitizeString($arkname); ?>">
+	<p><?php printMLText("confirm_rm_backup", array ("arkname" => sanitizeString($arkname)));?></p>
 	<input type="Submit" value="<?php printMLText("backup_remove");?>">
 </form>
 <?php

out/out.RemoveDocument.php

@@ -28,7 +28,7 @@ include("../inc/inc.Authentication.php");
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.RemoveDocumentFile.php

@@ -27,7 +27,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.RemoveDump.php

@@ -40,8 +40,8 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveDump.php" name="form1" method="POST">
-	<input type="Hidden" name="dumpname" value="<?php echo $dumpname?>">
-	<p><?php printMLText("confirm_rm_dump", array ("dumpname" => $dumpname));?></p>
+	<input type="Hidden" name="dumpname" value="<?php echo sanitizeString($dumpname); ?>">
+	<p><?php printMLText("confirm_rm_dump", array ("dumpname" => sanitizeString($dumpname)));?></p>
 	<input type="Submit" value="<?php printMLText("dump_remove");?>">
 </form>
 <?php

out/out.RemoveEvent.php

@@ -45,7 +45,7 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveEvent.php" name="form1" method="POST">
-	<input type="Hidden" name="eventid" value="<?php echo $_GET["id"]; ?>">
+	<input type="Hidden" name="eventid" value="<?php echo intval($_GET["id"]); ?>">
 	<p><?php printMLText("confirm_rm_event", array ("name" => htmlspecialchars($event["name"])));?></p>
 	<input type="Submit" value="<?php printMLText("delete");?>">
 </form>

out/out.RemoveFolderFiles.php

@@ -30,7 +30,7 @@ if (!isset($_GET["targetidform3"]) || !is_numeric($_GET["targetidform3"]) || int
 	UI::exitError(getMLText("admin_tools"),getMLText("invalid_folder_id"));
 }
 
-$folderid = $_GET["targetidform3"];
+$folderid = intval($_GET["targetidform3"]);
 $folder = $dms->getFolder($folderid);
 
 if (!is_object($folder)) {

out/out.RemoveGroup.php

@@ -31,7 +31,7 @@ if (!$user->isAdmin()) {
 if (!isset($_GET["groupid"]) || !is_numeric($_GET["groupid"]) || intval($_GET["groupid"])<1) {
 	UI::exitError(getMLText("rm_group"),getMLText("invalid_user_id"));
 }
-$groupid = $_GET["groupid"];
+$groupid = intval($_GET["groupid"]);
 $currGroup = $dms->getGroup($groupid);
 
 if (!is_object($currGroup)) {

out/out.RemoveLog.php

@@ -30,7 +30,7 @@ if (!isset($_GET["logname"]) || !file_exists($settings->_contentDir.$_GET["logna
 	UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 }
 
-$logname = $_GET["logname"];
+$logname = sanitizeString($_GET["logname"]);
 
 UI::htmlStartPage(getMLText("backup_tools"));
 UI::globalNavigation();

out/out.RemoveUser.php

@@ -1,82 +1,82 @@
-<?php
-//    MyDMS. Document Management System
-//    Copyright (C) 2002-2005  Markus Westphal
-//    Copyright (C) 2006-2008 Malcolm Cowe
-//    Copyright (C) 2006-2008 Malcolm Cowe
-//
-//    This program is free software; you can redistribute it and/or modify
-//    it under the terms of the GNU General Public License as published by
-//    the Free Software Foundation; either version 2 of the License, or
-//    (at your option) any later version.
-//
-//    This program is distributed in the hope that it will be useful,
-//    but WITHOUT ANY WARRANTY; without even the implied warranty of
-//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//    GNU General Public License for more details.
-//
-//    You should have received a copy of the GNU General Public License
-//    along with this program; if not, write to the Free Software
-//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-include("../inc/inc.Settings.php");
+<?php
+//    MyDMS. Document Management System
+//    Copyright (C) 2002-2005  Markus Westphal
+//    Copyright (C) 2006-2008 Malcolm Cowe
+//    Copyright (C) 2010-2012 Uwe Steinmann
+//
+//    This program is free software; you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation; either version 2 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program; if not, write to the Free Software
+//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+include("../inc/inc.Settings.php");
 include("../inc/inc.DBInit.php");
-include("../inc/inc.Language.php");
-include("../inc/inc.ClassUI.php");
+include("../inc/inc.Language.php");
+include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
 if (!$user->isAdmin()) {
-	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
-}
-
-if (!isset($_GET["userid"]) || !is_numeric($_GET["userid"]) || intval($_GET["userid"])<1) {
-	UI::exitError(getMLText("rm_user"),getMLText("invalid_user_id"));
-}
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+}
 
-$userid = $_GET["userid"];
+if (!isset($_GET["userid"]) || !is_numeric($_GET["userid"]) || intval($_GET["userid"])<1) {
+	UI::exitError(getMLText("rm_user"),getMLText("invalid_user_id"));
+}
+
+$userid = intval($_GET["userid"]);
 $currUser = $dms->getUser($userid);
 
-if ($userid==$user->getID()) {
-	UI::exitError(getMLText("rm_user"),getMLText("access_denied"));
+if ($userid==$user->getID()) {
+	UI::exitError(getMLText("rm_user"),getMLText("access_denied"));
 }
-
-if (!is_object($currUser)) {
-	UI::exitError(getMLText("rm_user"),getMLText("invalid_user_id"));
-}
-
-UI::htmlStartPage(getMLText("admin_tools"));
-UI::globalNavigation();
+
+if (!is_object($currUser)) {
+	UI::exitError(getMLText("rm_user"),getMLText("invalid_user_id"));
+}
+
+UI::htmlStartPage(getMLText("admin_tools"));
+UI::globalNavigation();
 UI::pageNavigation(getMLText("admin_tools"), "admin_tools");
-UI::contentHeading(getMLText("rm_user"));
+UI::contentHeading(getMLText("rm_user"));
 UI::contentContainerStart();
-
-?>
-<form action="../op/op.UsrMgr.php" name="form1" method="POST">
-<input type="Hidden" name="userid" value="<?php print $userid;?>">
-<input type="Hidden" name="action" value="removeuser">
-<p>
-<?php printMLText("confirm_rm_user", array ("username" => htmlspecialchars($currUser->getFullName())));?>
-</p>
+
+?>
+<form action="../op/op.UsrMgr.php" name="form1" method="POST">
+<input type="Hidden" name="userid" value="<?php print $userid;?>">
+<input type="Hidden" name="action" value="removeuser">
+<p>
+<?php printMLText("confirm_rm_user", array ("username" => htmlspecialchars($currUser->getFullName())));?>
+</p>
 
 <p>
 <?php printMLText("assign_user_property_to"); ?> :
-<select name="assignTo">
+<select name="assignTo">
 <?php
 	$users = $dms->getAllUsers();
-	foreach ($users as $currUser) {
-		if ($currUser->isGuest() || ($currUser->getID() == $userid) )
+	foreach ($users as $currUser) {
+		if ($currUser->isGuest() || ($currUser->getID() == $userid) )
 			continue;
 
-		if (isset($_GET["userid"]) && $currUser->getID()==$_GET["userid"]) $selected=$count;
-		print "<option value=\"".$currUser->getID()."\">" . htmlspecialchars($currUser->getLogin());
-	}
-?>
+		if (isset($_GET["userid"]) && $currUser->getID()==$_GET["userid"]) $selected=$count;
+		print "<option value=\"".$currUser->getID()."\">" . htmlspecialchars($currUser->getLogin()." - ".$currUser->getFullName());
+	}
+?>
 </select>
 </p>
 
-<p><input type="Submit" value="<?php printMLText("rm_user");?>"></p>
-
-</form>
-<?php
-UI::contentContainerEnd();
-UI::htmlEndPage();
-?>
+<p><input type="Submit" value="<?php printMLText("rm_user");?>"></p>
+
+</form>
+<?php
+UI::contentContainerEnd();
+UI::htmlEndPage();
+?>

out/out.RemoveVersion.php

@@ -29,7 +29,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.ReviewDocument.php

@@ -29,7 +29,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.SetExpires.php

@@ -28,7 +28,7 @@ include("../inc/inc.Authentication.php");
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.SetReviewersApprovers.php

@@ -28,7 +28,7 @@ include("../inc/inc.Authentication.php");
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.UpdateDocument.php

@@ -28,7 +28,7 @@ include("../inc/inc.Authentication.php");
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.UpdateDocument2.php

@@ -33,7 +33,7 @@ if(!$settings->_enableLargeFileUpload) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {

out/out.ViewDocument.php

@@ -40,7 +40,7 @@ if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = intval($_GET["documentid"]);
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {
@@ -90,7 +90,7 @@ if ($document->isLocked()) {
 <td>
 <?php
 $owner = $document->getOwner();
-print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".$owner->getFullName()."</a>";
+print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>";
 ?>
 </td>
 </tr>

out/out.ViewEvent.php

@@ -27,7 +27,7 @@ if (!isset($_GET["id"])){
 	UI::exitError(getMLText("event_details"),getMLText("error_occured"));
 }
 
-$event=getEvent($_GET["id"]);
+$event=getEvent(intval($_GET["id"]));
 
 if (is_bool($event)&&!$event){
 	UI::exitError(getMLText("event_details"),getMLText("error_occured"));
@@ -46,12 +46,12 @@ echo "<table>";
 
 echo "<tr>";
 echo "<td>".getMLText("name").": </td>";
-echo "<td>".$event["name"]."</td>";
+echo "<td>".htmlspecialchars($event["name"])."</td>";
 echo "</tr>";
 
 echo "<tr>";
 echo "<td>".getMLText("comment").": </td>";
-echo "<td>".$event["comment"]."</td>";
+echo "<td>".htmlspecialchars($event["comment"])."</td>";
 echo "</tr>";
 
 echo "<tr>";

out/out.ViewFolder.php

@@ -29,7 +29,7 @@ if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET[
 	$folderid = $settings->_rootFolderID;
 }
 else {
-	$folderid = $_GET["folderid"];
+	$folderid = intval($_GET["folderid"]);
 }
 
 $folder = $dms->getFolder($folderid);