gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2026-02-02 06:31:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix potential XSS attack on search page

Browse Source
This commit is contained in:
Uwe Steinmann 2026-01-30 08:15:26 +01:00
parent f903a32816
commit e0b9544bd5
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -5,6 +5,7 @@
- show document preview when editing attributes of a document
- fix utilities which require translations
- fix potential XSS attack when deleting a folder/document
- fix potential XSS attack on search page
- links to operations on folders/documents can be put into a dropdown menu
- check for secure password when adding a new user
- secure password check can be turned off for admins

8
views/bootstrap/class.Search.php
View File

@ -1109,7 +1109,7 @@ $(document).ready(function() {
if($values) {
$tmp = explode('_', $facetname);
if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
$dispname = $attrdef->getName();
$dispname = htmlspecialchars($attrdef->getName());
switch($attrdef->getType()) {
case 556: //SeedDMS_Core_AttributeDefinition::type_int:
$this->formField(
@ -1227,7 +1227,7 @@ $(document).ready(function() {
if(substr($facetname, 0, 5) == 'attr_') {
$tmp = explode('_', $facetname);
if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
$dispname = $attrdef->getName();
$dispname = htmlspecialchars($attrdef->getName());
/* Create a link to remove the filter */
$allparams = $request->query->all();
if(isset($allparams['attributes'][$facetname])) {
@ -1340,7 +1340,7 @@ $(document).ready(function() {
if(is_string($av) && ($av == '__notset__')) {
$tmp = explode('_', $an);
if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
$dispname = $attrdef->getName();
$dispname = htmlspecialchars($attrdef->getName());
unset($allparams['attributes'][$an]);
$newrequest = Symfony\Component\HttpFoundation\Request::create($request->getBaseUrl(), 'GET', $allparams);
$menuitems[] = array('label'=>'<i class="fa fa-remove"></i> '.$dispname.' is not set', 'link'=>$newrequest->getRequestUri(), 'attributes'=>[['title', 'Click to remove']], '_badge'=>'x');
@ -1368,7 +1368,7 @@ $(document).ready(function() {
if(substr($facetname, 0, 5) == 'attr_') {
$tmp = explode('_', $facetname);
if($attrdef = $dms->getAttributeDefinition($tmp[1])) {
$dispname = $attrdef->getName();
$dispname = htmlspecialchars($attrdef->getName());
switch($attrdef->getType()) {
case SeedDMS_Core_AttributeDefinition::type_int:
case SeedDMS_Core_AttributeDefinition::type_float: