mirror of
https://git.code.sf.net/p/seeddms/code
synced 2025-06-18 02:59:27 +00:00
run all mailto through htmlspecialchars to prevent clickjacking attacks
This commit is contained in:
Uwe Steinmann
parent
717cfcb615
commit
78dfd5269e
|
|
@ -168,7 +168,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
|
|||
<td>
|
||||
<?php
|
||||
$owner = $document->getOwner();
|
||||
print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>";
|
||||
print "<a class=\"infos\" href=\"mailto:".htmlspecialchars($owner->getEmail())."\">".htmlspecialchars($owner->getFullName())."</a>";
|
||||
?>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -275,7 +275,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
|
|||
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
|
||||
|
||||
$updatingUser = $version->getUser();
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getLongReadableDate($version->getDate())."</li>";
|
||||
|
||||
print "</ul>\n";
|
||||
|
|
@ -509,7 +509,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
|
|||
print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>";
|
||||
else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>";
|
||||
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($responsibleUser->getEmail())."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
|
||||
print "<li>".getLongReadableDate($file->getDate())."</li>";
|
||||
if($file->getVersion())
|
||||
print "<li>".getMLText('linked_to_this_version')."</li>";
|
||||
|
|
|
|||
|
|
@ -212,7 +212,7 @@ class SeedDMS_View_ExtensionMgr extends SeedDMS_Bootstrap_Style {
|
|||
echo "<td nowrap>".$extconf['version'];
|
||||
echo "<br /><small>".$extconf['releasedate']."</small>";
|
||||
echo "</td>";
|
||||
echo "<td nowrap><a href=\"mailto:".$extconf['author']['email']."\">".$extconf['author']['name']."</a><br /><small>".$extconf['author']['company']."</small></td>";
|
||||
echo "<td nowrap><a href=\"mailto:".htmlspecialchars($extconf['author']['email'])."\">".$extconf['author']['name']."</a><br /><small>".$extconf['author']['company']."</small></td>";
|
||||
echo "<td nowrap>";
|
||||
echo "<div class=\"list-action\">";
|
||||
if(!empty($extconf['changelog']) && file_exists($extdir."/".$extname."/".$extconf['changelog'])) {
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ class SeedDMS_View_UserList extends SeedDMS_Bootstrap_Style {
|
|||
echo "</td>";
|
||||
echo "<td>";
|
||||
echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />";
|
||||
echo "<a href=\"mailto:".$currUser->getEmail()."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
|
||||
echo "<a href=\"mailto:".htmlspecialchars($currUser->getEmail())."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
|
||||
echo "<small>".htmlspecialchars($currUser->getComment())."</small>";
|
||||
echo "</td>";
|
||||
echo "<td>";
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ class SeedDMS_View_UsrView extends SeedDMS_Bootstrap_Style {
|
|||
}
|
||||
echo "<td>";
|
||||
echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />";
|
||||
echo "<a href=\"mailto:".$currUser->getEmail()."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
|
||||
echo "<a href=\"mailto:".htmlspecialchars($currUser->getEmail())."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
|
||||
echo "<small>".htmlspecialchars($currUser->getComment())."</small>";
|
||||
echo "</td>";
|
||||
echo "</tr>";
|
||||
|
|
|
|||
|
|
@ -225,7 +225,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
|
|||
<td>
|
||||
<?php
|
||||
$owner = $document->getOwner();
|
||||
print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>";
|
||||
print "<a class=\"infos\" href=\"mailto:".htmlspecialchars($owner->getEmail())."\">".htmlspecialchars($owner->getFullName())."</a>";
|
||||
?>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -635,7 +635,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
|
|||
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
|
||||
|
||||
$updatingUser = $latestContent->getUser();
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getLongReadableDate($latestContent->getDate())."</li>";
|
||||
|
||||
print "</ul>\n";
|
||||
|
|
@ -1275,7 +1275,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
|
|||
if ($file_exists) print "<li>". SeedDMS_Core_File::format_filesize($version->getFileSize()) .", ".htmlspecialchars($version->getMimeType())."</li>";
|
||||
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
|
||||
$updatingUser = $version->getUser();
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
|
||||
print "<li>".getLongReadableDate($version->getDate())."</li>";
|
||||
print "</ul>\n";
|
||||
$txt = $this->callHook('showVersionComment', $version);
|
||||
|
|
@ -1386,7 +1386,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
|
|||
print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>";
|
||||
else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>";
|
||||
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
|
||||
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($responsibleUser->getEmail())."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
|
||||
print "<li>".getLongReadableDate($file->getDate())."</li>";
|
||||
if($file->getVersion())
|
||||
print "<li>".getMLText('linked_to_current_version')."</li>";
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user