Merge remote-tracking branch 'upstream/master'

gulliver/system/class.dbMaintenance.php

@@ -305,8 +305,12 @@ class DataBaseMaintenance
     function backupData ()
     {
         $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
         foreach ($aTables as $table) {
             if ($this->dumpData( $table ) !== false) {
+                $this->outfile = $filter->xssFilterHard($this->outfile);
                 printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" );
             } else {
                 return false;
@@ -343,6 +347,11 @@ class DataBaseMaintenance
     {
 
         $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
+        $this->tmpDir = $filter->xssFilterHard($this->tmpDir);
+        $this->infile = $filter->xssFilterHard($this->infile);
 
         foreach ($aTables as $table) {
             if (isset( $type ) && $type == 'sql') {
@@ -467,6 +476,7 @@ class DataBaseMaintenance
 
         G::LoadSystem('inputfilter');
         $filter = new InputFilter();
+        $table = $filter->xssFilterHard($table);
         $table = $filter->validateInput($table, 'nosql');
         $bytesSaved = 0;
         $query = "SELECT * FROM `%s`";
@@ -492,6 +502,7 @@ class DataBaseMaintenance
             $data .= ");\n";
         }
 
+        $data = $filter->xssFilterHard($data);
         printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
         return $data;
     }

gulliver/system/class.pagedTable.php

@@ -778,6 +778,13 @@ class pagedTable
      */
     public function renderTable ($block = '')
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $this->orderBy  = $filter->xssFilterHard($this->orderBy);
+        $this->currentPage  = $filter->xssFilterHard($this->currentPage);
+        $this->id  = $filter->xssFilterHard($this->id);
+        $this->name  = $filter->xssFilterHard($this->name);
+        $this->ownerPage  = $filter->xssFilterHard($this->ownerPage);
         // DBConnection
         $this->prepareQuery();
         //Query for get the number of rows
@@ -797,6 +804,9 @@ class pagedTable
             $this->tpl->assign( 'pagedTable_Id', $this->id );
             $this->tpl->assign( 'pagedTable_Name', $this->name );
             $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
+            $this->xmlForm->home  = $filter->xssFilterHard($this->xmlForm->home);
+            $this->filterForm  = $filter->xssFilterHard($this->filterForm);
+            $this->menu  = $filter->xssFilterHard($this->menu);
             if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                 $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                 if ($this->menu === '') {
@@ -893,10 +903,14 @@ class pagedTable
             $this->tpl->assign( 'rowId', 'insertAtLast' );
             if ($this->currentPage > 1) {
                 $firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1';
+                $firstUrl  = $filter->xssFilterHard($firstUrl);
                 $firstAjax = $this->id . ".doGoToPage(1);return false;";
+                $firstAjax  = $filter->xssFilterHard($firstAjax);
                 $prevpage = $this->currentPage - 1;
                 $prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage;
+                $prevUrl  = $filter->xssFilterHard($prevUrl);
                 $prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;";
+                $prevAjax  = $filter->xssFilterHard($prevAjax);
                 $first = "<a href=\"" . htmlentities( $firstUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $firstAjax . "\" class='firstPage'>&nbsp;</a>";
                 $prev = "<a href=\"" . htmlentities( $prevUrl, ENT_QUOTES, 'utf-8' ) . "\"  onclick=\"" . $prevAjax . "\" class='previousPage'>&nbsp;</a>";
             } else {
@@ -905,10 +919,14 @@ class pagedTable
             }
             if ($this->currentPage < $this->totpages) {
                 $lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages;
+                $lastUrl  = $filter->xssFilterHard($lastUrl);
                 $lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;";
+                $lastAjax  = $filter->xssFilterHard($lastAjax);
                 $nextpage = $this->currentPage + 1;
                 $nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage;
+                $nextUrl  = $filter->xssFilterHard($nextUrl);
                 $nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;";
+                $nextAjax  = $filter->xssFilterHard($nextAjax);
                 $next = "<a href=\"" . htmlentities( $nextUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $nextAjax . "\" class='nextPage'>&nbsp;</a>";
                 $last = "<a href=\"" . htmlentities( $lastUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $lastAjax . "\" class='lastPage'>&nbsp;</a>";
             } else {
@@ -919,7 +937,8 @@ class pagedTable
             for ($r = 1; $r <= $this->totpages; $r ++) {
                 if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) {
                     $pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;";
-                    if ($r != $this->currentPage) {
+                    if ($r != $this->currentPage) {                        
+                        $pageAjax  = $filter->xssFilterHard($pageAjax);
                         $pagesEnum .= "&nbsp;<a href=\"" . htmlentities( $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . "</a>";
                     } else {
                         $pagesEnum .= "&nbsp;<a>" . $r . "</a>";

rbac/engine/templates/testAuthenticationSource.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  * 
  */
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
+
   global $G_TABLE;
   global $G_CONTENT;
   global $HTTP_SESSION_VARS;
@@ -88,7 +92,8 @@
 
         $oResult = $oLdap->search($rootDn, $sFilter, $aParams);
         if (PEAR::isError($oResult)) {
-        print ( $oLdap->message);
+            $oLdap->message = $filter->xssFilterHard($oLdap->message);
+            print ( $oLdap->message);
             return $oResult;
         }
 /*

workflow/engine/bin/tasks/cliMafe.php

@@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation');
 
 function run_create_translation($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     $rootDir = realpath(__DIR__."/../../../../");
     $app = new Maveriks\WebApplication();
     $app->setRootDir($rootDir);
@@ -53,7 +57,6 @@ function run_create_translation($args, $opts)
     foreach ($workspaces as $workspace) {
         try {
             echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
-            $app->loadEnvironment($workspace->name, $loadConstants);
             $translation->generateTransaltionMafe($lang);
         } catch (Exception $e) {
             echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";

workflow/engine/bin/tasks/cliWorkspaces.php

@@ -228,6 +228,10 @@ function run_info($args, $opts) {
 }
 
 function run_workspace_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
 }
 
 function run_translation_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
 }
 
 function run_cacheview_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
   foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
 }
 
 function database_upgrade($command, $args) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $command = $filter->xssFilterHard($command);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $checkOnly = (strcmp($command, "check") == 0);
   foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
 
 function run_database_generate_self_service_by_value($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     try {
         $arrayWorkspace = get_workspaces_from_args($args);
 

workflow/engine/classes/class.webdav.php

@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
      */
     public function GET(&$options)
     {
-        $paths = $this->paths;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $options = $filter->xssFilterHard($options);
+        $paths = $filter->xssFilterHard($this->paths);
 
         $pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
         if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
             $fsFile = $pathClasses . $paths[1];
+            $fsFile = $filter->xssFilterHard($fsFile);
             if (count($paths) == 2 && file_exists($fsFile)) {
                 $content = file_get_contents($fsFile);
+                $content = $filter->xssFilterHard($content);
                 print $content;
                 header("Content-Type: " . mime_content_type($fsFile));
                 header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'xmlforms') {
                 $pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathXmlform . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
                 $pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathTemplates . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'public_html') {
                 $pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathPublic . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");

workflow/engine/classes/class.wsTools.php

@@ -1842,12 +1842,14 @@ class workspaceTools
             throw $e;
         }
     }
+
     /**
      * Migrate all cases to New list
      *
      * return all LIST TABLES with data
      */
-    public function migrateList ($workSpace){
+    public function migrateList ($workSpace)
+    {
         $this->initPropel(true);
         $appCache = new AppCacheView();
         G::LoadClass("case");
@@ -1877,7 +1879,7 @@ class workspaceTools
         $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
         //Insert new data LIST_COMPLETED
         while ($rsCriteria->next()) {
-              $row = $rsCriteria->getRow();             
+              $row = $rsCriteria->getRow();
               $listCompleted = new ListCompleted();
               $listCompleted->remove($row["APP_UID"]);
               $listCompleted->setDeleted(false);
@@ -1887,32 +1889,39 @@ class workspaceTools
         
         //Select data TO_DO OR DRAFT
         $inbCriteria = $appCache->getSelAllColumns();
-        $inbCriteria->add(AppCacheViewPeer::APP_STATUS, "CANCELLED", CRITERIA::NOT_EQUAL);
         $rsCriteria = AppCacheViewPeer::doSelectRS($inbCriteria);
         $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+
         //Insert new data LIST_INBOX
         while ($rsCriteria->next()) {
-              $row = $rsCriteria->getRow();
+            $row = $rsCriteria->getRow();
-              if($row["DEL_THREAD_STATUS"] == 'OPEN'){
+            $isSelfService = ($row['USR_UID'] == '') ? true : false;
-                  $listInbox = new ListInbox();
+            if($row["DEL_THREAD_STATUS"] == 'OPEN'){
-                  $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]);
+                $row["DEL_PREVIOUS_USR_UID"] = $row["PREVIOUS_USR_UID"];
-                  $listInbox->setDeleted(false);
+                $listInbox = new ListInbox();
-                  $listInbox->create($row);
+                $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]);
-              } else {
+                $listInbox->setDeleted(false);
-                 // create participated List when the thread is CLOSED
+                $listInbox->create($row, $isSelfService);
-                 $listParticipatedHistory = new ListParticipatedHistory();
+            } else {
-                 $listParticipatedHistory->remove($row['APP_UID'],$row['DEL_INDEX']);
+                // create participated List when the thread is CLOSED
-                 $listParticipatedHistory = new ListParticipatedHistory();
+                $listParticipatedHistory = new ListParticipatedHistory();
-                 $listParticipatedHistory->create($row);
+                $listParticipatedHistory->remove($row['APP_UID'], $row['DEL_INDEX']);
-                 $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedHistory = new ListParticipatedHistory();
-                 $listParticipatedLast->remove($row['APP_UID'], $row['USR_UID']);
+                $listParticipatedHistory->create($row);
-                 $listParticipatedLast = new ListParticipatedLast();
+
-                 $listParticipatedLast->create($row);        
+                $oCriteria = new Criteria('workflow');
-                 $listParticipatedLast = new ListParticipatedLast();
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $row['APP_UID']);
-                 $listParticipatedLast->refresh($row);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $row['USR_UID']);
-              }
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->create($row);
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->refresh($row);
+            }
               
         }
+
         CLI::logging("> Completed table LIST_INBOX\n");
         //With this List is populated the LIST_PARTICIPATED_HISTORY and LIST_PARTICIPATED_LAST
         CLI::logging("> Completed table LIST_PARTICIPATED_HISTORY\n");
@@ -1922,7 +1931,7 @@ class workspaceTools
         $myiCriteria = $appCache->getSelAllColumns();
         $myiCriteria->add(AppCacheViewPeer::DEL_INDEX, "1", CRITERIA::EQUAL);
         $rsCriteria = AppCacheViewPeer::doSelectRS($myiCriteria);
-        $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);        
+        $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
         //Insert new data LIST_MY_INBOX
         while ($rsCriteria->next()) {
               $row = $rsCriteria->getRow();             
@@ -1939,7 +1948,13 @@ class workspaceTools
         $delaycriteria->addSelectColumn(AppDelayPeer::PRO_UID);
         $delaycriteria->addSelectColumn(AppDelayPeer::APP_DEL_INDEX);
         $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_NUMBER);
-        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID, Criteria::INNER_JOIN );
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::USR_UID);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_STATUS);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::TAS_UID);
+
+        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID . ' AND ' . AppCacheViewPeer::DEL_INDEX . ' = ' . AppDelayPeer::APP_DEL_INDEX, Criteria::INNER_JOIN );
+        $delaycriteria->add(AppDelayPeer::APP_DISABLE_ACTION_USER, "0", CRITERIA::EQUAL);
+        $delaycriteria->add(AppDelayPeer::APP_TYPE, "PAUSE", CRITERIA::EQUAL);
         $rsCriteria = AppDelayPeer::doSelectRS($delaycriteria);
         $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
         //Insert new data LIST_PAUSED
@@ -1948,7 +1963,6 @@ class workspaceTools
               $data = $row;
               $data["DEL_INDEX"] = $row["APP_DEL_INDEX"];
               $listPaused = new ListPaused();
-              $listPaused->remove($data["APP_UID"],$data["DEL_INDEX"]);
               $listPaused->setDeleted(false);
               $listPaused->create($data);
         }
@@ -1965,7 +1979,7 @@ class workspaceTools
         $del->doDeleteAll(); 
         while ($rsCriteria->next()) {
             $row = $rsCriteria->getRow();
-            $listUnassigned = new ListUnassigned();            
+            $listUnassigned = new ListUnassigned();
             $unaUid = $listUnassigned->generateData($row["APP_UID"],$row["PREVIOUS_USR_UID"]); 
         }        
         CLI::logging("> Completed table LIST_UNASSIGNED\n");
@@ -2005,7 +2019,8 @@ class workspaceTools
         }
         $this->listFirstExecution('insert');
         return true;
-    } 
+    }
+
     /**
      * This function checks if List tables are going to migrated 
      *

workflow/engine/classes/model/ListInbox.php

@@ -49,8 +49,11 @@ class ListInbox extends BaseListInbox
 
             // remove and create participated last
             if (!$isSelfService) {
-                $listParticipatedLast = new ListParticipatedLast();
+                $oCriteria = new Criteria('workflow');
-                $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $data['APP_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $data['USR_UID']);
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
                 $listParticipatedLast = new ListParticipatedLast();
                 $listParticipatedLast->create($data);
                 $listParticipatedLast = new ListParticipatedLast();
@@ -367,6 +370,11 @@ class ListInbox extends BaseListInbox
     {
         $criteria = new Criteria();
         $criteria->add( ListInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL );
+        if ($filters['action'] == 'draft') {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'DRAFT', Criteria::EQUAL );
+        } else {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'TO_DO', Criteria::EQUAL );
+        }
         self::loadFilters($criteria, $filters);
         $total = ListInboxPeer::doCount( $criteria );
         return (int)$total;

workflow/engine/classes/model/ListMyInbox.php

@@ -123,6 +123,7 @@ class ListMyInbox extends BaseListMyInbox
 
         if ($data['DEL_INDEX'] == 1 && $data['APP_STATUS'] == 'TO_DO') {
             $data['APP_CREATE_DATE'] = $data['APP_UPDATE_DATE'];
+            $this->remove($data['APP_UID'], $data['USR_UID']);
             $this->create($data);
         } else {
             unset($data['USR_UID']);

workflow/engine/classes/model/ListParticipatedLast.php

@@ -143,9 +143,9 @@ class ListParticipatedLast extends BaseListParticipatedLast
      * @throws type
      *
      */
-    public function remove ($app_uid, $usr_uid)
+    public function remove ($app_uid, $usr_uid, $del_index)
     {
-        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid);
+        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid, $del_index);
         if (! is_null( $existField )) {
             $users = new Users();
             $users->refreshTotal($usr_uid, 'removed', 'participated');

workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php

@@ -69,7 +69,7 @@ class ListParticipatedLastMapBuilder
 
         $tMap->addPrimaryKey('USR_UID', 'UsrUid', 'string', CreoleTypes::VARCHAR, true, 32);
 
-        $tMap->addColumn('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);
+        $tMap->addPrimaryKey('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);
 
         $tMap->addColumn('TAS_UID', 'TasUid', 'string', CreoleTypes::VARCHAR, true, 32);
 

workflow/engine/classes/model/om/BaseListParticipatedLast.php

@@ -1686,6 +1686,7 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $criteria->add(ListParticipatedLastPeer::APP_UID, $this->app_uid);
         $criteria->add(ListParticipatedLastPeer::USR_UID, $this->usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $this->del_index);
 
         return $criteria;
     }
@@ -1703,6 +1704,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $pks[1] = $this->getUsrUid();
 
+        $pks[2] = $this->getDelIndex();
+
         return $pks;
     }
 
@@ -1719,6 +1722,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $this->setUsrUid($keys[1]);
 
+        $this->setDelIndex($keys[2]);
+
     }
 
     /**
@@ -1734,8 +1739,6 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
     public function copyInto($copyObj, $deepCopy = false)
     {
 
-        $copyObj->setDelIndex($this->del_index);
-
         $copyObj->setTasUid($this->tas_uid);
 
         $copyObj->setProUid($this->pro_uid);
@@ -1781,6 +1784,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $copyObj->setUsrUid(''); // this is a pkey column, so set to default value
 
+        $copyObj->setDelIndex('0'); // this is a pkey column, so set to default value
+
     }
 
     /**

workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php

@@ -487,6 +487,9 @@ abstract class BaseListParticipatedLastPeer
             $comparison = $criteria->getComparison(ListParticipatedLastPeer::USR_UID);
             $selectCriteria->add(ListParticipatedLastPeer::USR_UID, $criteria->remove(ListParticipatedLastPeer::USR_UID), $comparison);
 
+            $comparison = $criteria->getComparison(ListParticipatedLastPeer::DEL_INDEX);
+            $selectCriteria->add(ListParticipatedLastPeer::DEL_INDEX, $criteria->remove(ListParticipatedLastPeer::DEL_INDEX), $comparison);
+
         } else {
             $criteria = $values->buildCriteria(); // gets full criteria
             $selectCriteria = $values->buildPkeyCriteria(); // gets criteria w/ primary key(s)
@@ -560,10 +563,12 @@ abstract class BaseListParticipatedLastPeer
 
                 $vals[0][] = $value[0];
                 $vals[1][] = $value[1];
+                $vals[2][] = $value[2];
             }
 
             $criteria->add(ListParticipatedLastPeer::APP_UID, $vals[0], Criteria::IN);
             $criteria->add(ListParticipatedLastPeer::USR_UID, $vals[1], Criteria::IN);
+            $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $vals[2], Criteria::IN);
         }
 
         // Set the correct dbName
@@ -626,10 +631,11 @@ abstract class BaseListParticipatedLastPeer
      * Retrieve object using using composite pkey values.
      * @param string $app_uid
        * @param string $usr_uid
+       * @param int $del_index
         * @param      Connection $con
      * @return     ListParticipatedLast
      */
-    public static function retrieveByPK($app_uid, $usr_uid, $con = null)
+    public static function retrieveByPK($app_uid, $usr_uid, $del_index, $con = null)
     {
         if ($con === null) {
             $con = Propel::getConnection(self::DATABASE_NAME);
@@ -637,6 +643,7 @@ abstract class BaseListParticipatedLastPeer
         $criteria = new Criteria();
         $criteria->add(ListParticipatedLastPeer::APP_UID, $app_uid);
         $criteria->add(ListParticipatedLastPeer::USR_UID, $usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $del_index);
         $v = ListParticipatedLastPeer::doSelect($criteria, $con);
 
         return !empty($v) ? $v[0] : null;

workflow/engine/classes/triggers/api/class.zimbraApi.php

@@ -803,6 +803,9 @@ class Zimbra
     protected function message($message)
     {
         if ($this->debug) {
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $message = $filter->xssFilterHard($message);
             echo $message;
         }
     }
@@ -823,6 +826,9 @@ class Zimbra
      */
     protected function soapRequest($body, $header = false, $connecting = false)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        
         if (!$connecting && !$this->_connected) {
             throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
         }
@@ -842,7 +848,9 @@ class Zimbra
 
         curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
 
-        if (!($response = curl_exec($this->_curl))) {
+        $this->_curl = $filter->xssFilterHard($this->_curl,"url");
+        $response = curl_exec($this->_curl);
+        if (!$response) {
             $this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
             return false;
         } elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {

workflow/engine/config/schema.xml

@@ -4017,7 +4017,7 @@
         </vendor>
         <column name="APP_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
         <column name="USR_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
-        <column name="DEL_INDEX" type="INTEGER" required="true" default="0"/>
+        <column name="DEL_INDEX" type="INTEGER" required="true" primaryKey="true" default=""/>
         <column name="TAS_UID" type="VARCHAR" size="32" required="true" default=""/>
         <column name="PRO_UID" type="VARCHAR" size="32" required="true" default=""/>
         <column name="APP_NUMBER" type="INTEGER" required="true" default="0"/>

workflow/engine/data/mysql/schema.sql

@@ -2285,7 +2285,7 @@ CREATE TABLE `LIST_PARTICIPATED_LAST`
 	`DEL_DUE_DATE` DATETIME,
 	`DEL_PRIORITY` VARCHAR(32) default '3' NOT NULL,
 	`DEL_THREAD_STATUS` VARCHAR(32) default 'OPEN' NOT NULL,
-	PRIMARY KEY (`APP_UID`,`USR_UID`)
+	PRIMARY KEY (`APP_UID`,`USR_UID`,`DEL_INDEX`)
 )ENGINE=InnoDB  DEFAULT CHARSET='utf8' COMMENT='Participated last list';
 #-----------------------------------------------------------------------------
 #-- LIST_COMPLETED

workflow/engine/methods/cases/casesStartPage_Ajax.php

@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (!isset($_SESSION['USER_LOGGED'])) {
     $res = new stdclass();
     $res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
 function startCase ()
 {
     G::LoadClass( 'case' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    $_SESSION = $filter->xssFilterHard($_SESSION);
 
     /* GET , POST & $_SESSION Vars */
     /* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
         lookinginforContentProcess( $_POST['processId'] );
 
         $aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
+        $aData = $filter->xssFilterHard($aData);
 
         $_SESSION['APPLICATION'] = $aData['APPLICATION'];
         $_SESSION['INDEX'] = $aData['INDEX'];

workflow/engine/methods/cases/proxyPMTablesFieldList.php

@@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid)
     $oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
     $oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
     $oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
+    $oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
     $oCriteria->addDescendingOrderByColumn('FLD_INDEX');
     $oDataset = FieldsPeer::doSelectRS($oCriteria);
     $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);

workflow/engine/methods/dbConnections/dbConnectionsAjax.php

@@ -30,6 +30,11 @@
  * @Param  var action from POST request
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
     $action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
 } else {

workflow/engine/methods/departments/departments_Ajax.php

@@ -23,6 +23,11 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 function LookForChildren ($parent, $level, $aDepUsers)
 {
     G::LoadClass( 'configuration' );

workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php

@@ -28,6 +28,10 @@
  * also the functionality of dependent fields in grids doesn't depends in this
  * file so this is somewhat expendable.
  */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+
 function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
 {
     $myDependentFields = '';

workflow/engine/methods/dynaforms/fieldsHandlerAjax.php

@@ -25,6 +25,9 @@
   * @Date Aug 26th, 2009
   */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 $request = $_POST['request'];
 
 switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
         if (isset( $_POST['items'] )) {
             $items = $_POST['items'];
             $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+            $tmpfilename = $filter->xssFilterHard($tmpfilename);
             G::LoadSystem( 'dynaformhandler' );
 
             $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
         break;
     case 'saveHidden':
         $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename);
         G::LoadSystem( 'dynaformhandler' );
         $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
         $hidden_items = Array ();

workflow/engine/methods/dynaforms/test.php

@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
 	</select> <input type="submit" value="Send" />
 </form>
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 $test = $_POST['form']['test'];
 if ($test) {
+    $test = $filter->xssFilterHard($test);
     foreach ($test as $t) {
         echo 'You selected ', $t, '<br />';
     }

workflow/engine/methods/roles/data_rolesList.php

@@ -24,6 +24,9 @@
 
 require_once (PATH_RBAC . "model/RolesPeer.php");
 G::LoadClass( 'ArrayPeer' );
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 
 isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';
 

workflow/engine/methods/roles/data_rolesPermissions.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 $ROL_UID = $_GET['rUID'];
 $TYPE_DATA = $_GET["type"];
 

workflow/engine/methods/services/Rest/CURLMessage.php

@@ -122,7 +122,10 @@ abstract class CURLMessage
      */
     public function displayResponse ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $error = curl_error( $this->ch );
+        $error = $filter->xssFilterHard($error);
         $result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
         );
         if ($error != "") {
@@ -130,12 +133,15 @@ abstract class CURLMessage
             return $result;
         }
         $response = $this->output;
+        $response = $filter->xssFilterHard($response);
         $header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
         $result['header'] = substr( $response, 0, $header_size );
         $result['body'] = substr( $response, $header_size );
         $result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
         $result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
+        $result = $filter->xssFilterHard($result);
 
+        $this->type = $filter->xssFilterHard($this->type);
         echo $this->type . " Response: " . $response . "<BR>";
         foreach ($result as $index => $data) {
             if ($data != "") {

workflow/engine/methods/services/demoSoap.php

@@ -61,12 +61,17 @@ a.krumo-name {
 </style>
 <?php
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (isset( $_POST["epr"] )) {
     $_SESSION['END_POINT'] = $_POST["epr"];
 }
 $endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
-
+$endpoint = $filter->xssFilterHard($endpoint);
 $sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
+$sessionId = $filter->xssFilterHard($sessionId);
 ?>
 <form method="post" action="">
 

workflow/engine/src/ProcessMaker/BusinessModel/Lists.php

@@ -176,6 +176,7 @@ class Lists {
             $filtersData['date_to']     = $filters["dateTo"];
             $response['filters']        = $filtersData;
             $response['data']           = $result;
+            $filtersData['action']      = $filters["action"];
             $response['totalCount']     = $list->countTotal($userUid, $filtersData);
         } else {
             $response = $result;

workflow/engine/templates/groups/groups_Tree.php

@@ -29,6 +29,8 @@
 
   $WIDTH_PANEL = 350;
 
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
   G::LoadClass('groups');
 
   $groups = new Groups();
@@ -47,6 +49,17 @@
     $UID         = htmlentities($group->getGrpUid());
     //$GROUP_TITLE = htmlentities($group->getGrpTitle());
     $GROUP_TITLE = strip_tags($group->getGrpTitle());
+    $ID_NEW         = G::LoadTranslation('ID_NEW');
+    $ID_GROUPS      = G::loadTranslation("ID_GROUPS");
+
+    $ID_EDIT     = $filter->xssFilterHard($ID_EDIT);
+    $ID_MEMBERS  = $filter->xssFilterHard($ID_MEMBERS);
+    $ID_DELETE   = $filter->xssFilterHard($ID_DELETE);
+    $UID         = $filter->xssFilterHard($UID);
+    $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE);
+    $ID_NEW      = $filter->xssFilterHard($ID_NEW);
+    $ID_GROUPS   = $filter->xssFilterHard($ID_GROUPS);
+
     $htmlGroup   .="
         <tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\">
           <td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td>
@@ -68,13 +81,13 @@
 					<div class="boxContentBlue">
 					  <table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0">
 					    <tr>
-						  <td class="userGroupTitle">'.G::loadTranslation("ID_GROUPS").'</td>
+						  <td class="userGroupTitle">'.$ID_GROUPS.'</td>
 						</tr>
 					  </table>
 					</div>
 					<div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
 					
-				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.G::LoadTranslation('ID_NEW').'</a></div>
+				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.$ID_NEW.'</a></div>
 				  	
 				  	<div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto">
 				  	  <table class="pagedTableDefault"><tr><td>'