gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-13 13:11:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

escape several strings to prevent xss attacks

Browse Source
This commit is contained in:
Uwe Steinmann 2024-03-25 16:20:50 +01:00
parent 2fe99c2905
commit 9b3cbb3417
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
views/bootstrap/class.Search.php
View File

@ -979,7 +979,7 @@ $(document).ready(function() {
$option = array($v, getReadableDate($v)); $option = array($v, getReadableDate($v));
break; break;
default: default:
$option = array($v, $v); $option = array(htmlspecialchars($v), htmlspecialchars($v));
} }
if(isset($attributes[$facetname]) && is_array($attributes[$facetname]) && in_array($v, $attributes[$facetname])) if(isset($attributes[$facetname]) && is_array($attributes[$facetname]) && in_array($v, $attributes[$facetname]))
$option[] = true; $option[] = true;
@ -1092,9 +1092,9 @@ $(document).ready(function() {
if($oldvalue) { if($oldvalue) {
unset($allparams['attributes'][$facetname]); unset($allparams['attributes'][$facetname]);
$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams); $newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.implode(', ', $oldvalue), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x'); $menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' = '.htmlspecialchars(implode(', ', $oldvalue)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
foreach($oldvalue as $ov) foreach($oldvalue as $ov)
echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.$ov.'" />'; echo '<input type="hidden" name="attributes['.$facetname.'][]" value="'.htmlspecialchars($ov).'" />';
} }
} }
} }
@ -1150,9 +1150,9 @@ $(document).ready(function() {
if($oldvalue) { if($oldvalue) {
unset($allparams[$facetname]); unset($allparams[$facetname]);
$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams); $newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.implode(', ', $oldtransval), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x'); $menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText($facetname).' = '.htmlspecialchars(implode(', ', $oldtransval)), 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
foreach($oldvalue as $ok=>$ov) foreach($oldvalue as $ok=>$ov)
echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.$ov.'" />'; echo '<input type="hidden" name="'.$facetname.'['.$ok.']" value="'.htmlspecialchars($ov).'" />';
} }
} }
} }
@ -1476,7 +1476,7 @@ $(document).ready(function() {
$attrstr .= $arr; $attrstr .= $arr;
} else { } else {
$attrdef = $lcattribute->getAttributeDefinition(); $attrdef = $lcattribute->getAttributeDefinition();
$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $lcattribute->getValueAsArray()))."</td></tr>\n"; $attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($lcattribute->getValueAsString())."</td></tr>\n";
// TODO: better use printAttribute() // TODO: better use printAttribute()
// $this->printAttribute($lcattribute); // $this->printAttribute($lcattribute);
} }
@ -1529,7 +1529,7 @@ $(document).ready(function() {
$attrstr .= "<tr><th>".getMLText('name')."</th><th>".getMLText('attribute_value')."</th></tr>"; $attrstr .= "<tr><th>".getMLText('name')."</th><th>".getMLText('attribute_value')."</th></tr>";
foreach($folderattributes as $folderattribute) { foreach($folderattributes as $folderattribute) {
$attrdef = $folderattribute->getAttributeDefinition(); $attrdef = $folderattribute->getAttributeDefinition();
$attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars(implode(', ', $folderattribute->getValueAsArray()))."</td></tr>\n"; $attrstr .= "<tr><td>".htmlspecialchars($attrdef->getName())."</td><td>".htmlspecialchars($folderattribute->getValueAsString())."</td></tr>\n";
} }
$attrstr .= "</table>"; $attrstr .= "</table>";
} }