gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-11 12:11:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix xss attack

Browse Source
This commit is contained in:
Uwe Steinmann 2025-01-29 10:25:26 +01:00
parent a0df82c2e7
commit dd13504fef
4 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
views/bootstrap/class.Bootstrap.php
View File

@ -3277,7 +3277,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
$content .= "<br />";
foreach($categories as $category) {
$color = substr(md5($category->getName()), 0, 6);
$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
}
}
if(!empty($extracontent['bottom_title']))

2
views/bootstrap/class.EditDocument.php
View File

@ -139,7 +139,7 @@ $(document).ready( function() {
if(!$nodocumentformfields || !in_array('categories', $nodocumentformfields)) {
$options = array();
foreach($categories as $category) {
$options[] = array($category->getID(), $category->getName(), in_array($category, $document->getCategories()));
$options[] = array($category->getID(), htmlspecialchars($category->getName()), in_array($category, $document->getCategories()));
}
$this->formField(
getMLText("categories"),

8
views/bootstrap/class.Search.php
View File

@ -369,9 +369,9 @@ $(document).ready(function() {
}
}
if($removecategory) {
$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
$this->setParam('batchmsg', getMLText('batch_remove_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
} else {
$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>$changecategory->getName()]));
$this->setParam('batchmsg', getMLText('batch_add_category_msg', ['count'=>$j, 'catname'=>htmlspecialchars($changecategory->getName())]));
}
} else {
}
@ -710,7 +710,7 @@ $(document).ready(function() {
$allcategories = $dms->getDocumentCategories();
if($allcategories) {
foreach($allcategories as $acategory) {
$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
}
$this->formField(
getMLText("categories"),
@ -947,7 +947,7 @@ $(document).ready(function() {
$options = array();
$allcategories = $dms->getDocumentCategories();
foreach($allcategories as $acategory) {
$options[] = array($acategory->getID(), $acategory->getName(), in_array($acategory->getId(), $tmpcatids));
$options[] = array($acategory->getID(), htmlspecialchars($acategory->getName()), in_array($acategory->getId(), $tmpcatids));
}
$this->formField(
getMLText("category_filter"),

2
views/bootstrap4/class.Bootstrap4.php
View File

@ -3326,7 +3326,7 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
$content .= "<br />";
foreach($categories as $category) {
$color = substr(md5($category->getName()), 0, 6);
$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".$category->getName()."</span> ";
$content .= "<span class=\"badge\" style=\"background-color: #".$color."; color: #".self::getContrastColor($color).";\">".htmlspecialchars($category->getName())."</span> ";
}
}
if(!empty($extracontent['bottom_title']))