gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-10-10 19:12:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

run all mailto through htmlspecialchars to prevent clickjacking attacks

Browse Source
This commit is contained in:
Uwe Steinmann 2021-01-11 07:59:32 +01:00
parent 717cfcb615
commit 78dfd5269e
5 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
views/bootstrap/class.DocumentVersionDetail.php
View File

@ -168,7 +168,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
<td> <td>
<?php <?php
$owner = $document->getOwner(); $owner = $document->getOwner();
print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>"; print "<a class=\"infos\" href=\"mailto:".htmlspecialchars($owner->getEmail())."\">".htmlspecialchars($owner->getFullName())."</a>";
?> ?>
</td> </td>
</tr> </tr>
@ -275,7 +275,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $version->getUser(); $updatingUser = $version->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($version->getDate())."</li>"; print "<li>".getLongReadableDate($version->getDate())."</li>";
print "</ul>\n"; print "</ul>\n";
@ -509,7 +509,7 @@ class SeedDMS_View_DocumentVersionDetail extends SeedDMS_Bootstrap_Style {
print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>"; print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>";
else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>";
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($responsibleUser->getEmail())."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($file->getDate())."</li>"; print "<li>".getLongReadableDate($file->getDate())."</li>";
if($file->getVersion()) if($file->getVersion())
print "<li>".getMLText('linked_to_this_version')."</li>"; print "<li>".getMLText('linked_to_this_version')."</li>";

2
views/bootstrap/class.ExtensionMgr.php
View File

@ -212,7 +212,7 @@ class SeedDMS_View_ExtensionMgr extends SeedDMS_Bootstrap_Style {
echo "<td nowrap>".$extconf['version']; echo "<td nowrap>".$extconf['version'];
echo "<br /><small>".$extconf['releasedate']."</small>"; echo "<br /><small>".$extconf['releasedate']."</small>";
echo "</td>"; echo "</td>";
echo "<td nowrap><a href=\"mailto:".$extconf['author']['email']."\">".$extconf['author']['name']."</a><br /><small>".$extconf['author']['company']."</small></td>"; echo "<td nowrap><a href=\"mailto:".htmlspecialchars($extconf['author']['email'])."\">".$extconf['author']['name']."</a><br /><small>".$extconf['author']['company']."</small></td>";
echo "<td nowrap>"; echo "<td nowrap>";
echo "<div class=\"list-action\">"; echo "<div class=\"list-action\">";
if(!empty($extconf['changelog']) && file_exists($extdir."/".$extname."/".$extconf['changelog'])) { if(!empty($extconf['changelog']) && file_exists($extdir."/".$extname."/".$extconf['changelog'])) {

2
views/bootstrap/class.UserList.php
View File

@ -59,7 +59,7 @@ class SeedDMS_View_UserList extends SeedDMS_Bootstrap_Style {
echo "</td>"; echo "</td>";
echo "<td>"; echo "<td>";
echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />"; echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />";
echo "<a href=\"mailto:".$currUser->getEmail()."\">".htmlspecialchars($currUser->getEmail())."</a><br />"; echo "<a href=\"mailto:".htmlspecialchars($currUser->getEmail())."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
echo "<small>".htmlspecialchars($currUser->getComment())."</small>"; echo "<small>".htmlspecialchars($currUser->getComment())."</small>";
echo "</td>"; echo "</td>";
echo "<td>"; echo "<td>";

2
views/bootstrap/class.UsrView.php
View File

@ -68,7 +68,7 @@ class SeedDMS_View_UsrView extends SeedDMS_Bootstrap_Style {
} }
echo "<td>"; echo "<td>";
echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />"; echo htmlspecialchars($currUser->getFullName())." (".htmlspecialchars($currUser->getLogin()).")<br />";
echo "<a href=\"mailto:".$currUser->getEmail()."\">".htmlspecialchars($currUser->getEmail())."</a><br />"; echo "<a href=\"mailto:".htmlspecialchars($currUser->getEmail())."\">".htmlspecialchars($currUser->getEmail())."</a><br />";
echo "<small>".htmlspecialchars($currUser->getComment())."</small>"; echo "<small>".htmlspecialchars($currUser->getComment())."</small>";
echo "</td>"; echo "</td>";
echo "</tr>"; echo "</tr>";

8
views/bootstrap/class.ViewDocument.php
View File

@ -225,7 +225,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
<td> <td>
<?php <?php
$owner = $document->getOwner(); $owner = $document->getOwner();
print "<a class=\"infos\" href=\"mailto:".$owner->getEmail()."\">".htmlspecialchars($owner->getFullName())."</a>"; print "<a class=\"infos\" href=\"mailto:".htmlspecialchars($owner->getEmail())."\">".htmlspecialchars($owner->getFullName())."</a>";
?> ?>
</td> </td>
</tr> </tr>
@ -635,7 +635,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $latestContent->getUser(); $updatingUser = $latestContent->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($latestContent->getDate())."</li>"; print "<li>".getLongReadableDate($latestContent->getDate())."</li>";
print "</ul>\n"; print "</ul>\n";
@ -1275,7 +1275,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
if ($file_exists) print "<li>". SeedDMS_Core_File::format_filesize($version->getFileSize()) .", ".htmlspecialchars($version->getMimeType())."</li>"; if ($file_exists) print "<li>". SeedDMS_Core_File::format_filesize($version->getFileSize()) .", ".htmlspecialchars($version->getMimeType())."</li>";
else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li><span class=\"warning\">".getMLText("document_deleted")."</span></li>";
$updatingUser = $version->getUser(); $updatingUser = $version->getUser();
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$updatingUser->getEmail()."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($updatingUser->getEmail())."\">".htmlspecialchars($updatingUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($version->getDate())."</li>"; print "<li>".getLongReadableDate($version->getDate())."</li>";
print "</ul>\n"; print "</ul>\n";
$txt = $this->callHook('showVersionComment', $version); $txt = $this->callHook('showVersionComment', $version);
@ -1386,7 +1386,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>"; print "<li>".SeedDMS_Core_File::format_filesize(filesize($dms->contentDir . $file->getPath())) ." bytes, ".htmlspecialchars($file->getMimeType())."</li>";
else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>"; else print "<li>".htmlspecialchars($file->getMimeType())." - <span class=\"warning\">".getMLText("document_deleted")."</span></li>";
print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".$responsibleUser->getEmail()."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>"; print "<li>".getMLText("uploaded_by")." <a href=\"mailto:".htmlspecialchars($responsibleUser->getEmail())."\">".htmlspecialchars($responsibleUser->getFullName())."</a></li>";
print "<li>".getLongReadableDate($file->getDate())."</li>"; print "<li>".getLongReadableDate($file->getDate())."</li>";
if($file->getVersion()) if($file->getVersion())
print "<li>".getMLText('linked_to_current_version')."</li>"; print "<li>".getMLText('linked_to_current_version')."</li>";