I reviewed the XSS - MEDIUM in files

2015-03-19 17:24:54 -04:00
parent 02847a5a51
commit 0ef17ab94b
6 changed files with 38 additions and 3 deletions
--- a/rbac/engine/templates/testAuthenticationSource.php
+++ b/rbac/engine/templates/testAuthenticationSource.php
@@ -22,6 +22,10 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 * 
 */
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
+
  global $G_TABLE;
  global $G_CONTENT;
  global $HTTP_SESSION_VARS;
@@ -88,7 +92,8 @@

        $oResult = $oLdap->search($rootDn, $sFilter, $aParams);
        if (PEAR::isError($oResult)) {
-        print ( $oLdap->message);
+            $oLdap->message = $filter->xssFilterHard($oLdap->message);
+            print ( $oLdap->message);
            return $oResult;
        }
 /*
--- a/workflow/engine/methods/departments/departments_Ajax.php
+++ b/workflow/engine/methods/departments/departments_Ajax.php
@@ -23,6 +23,11 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 function LookForChildren ($parent, $level, $aDepUsers)
 {
    G::LoadClass( 'configuration' );
--- a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
@@ -28,6 +28,10 @@
 * also the functionality of dependent fields in grids doesn't depends in this
 * file so this is somewhat expendable.
 */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+
 function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
 {
    $myDependentFields = '';
--- a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
+++ b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
@@ -25,6 +25,9 @@
  * @Date Aug 26th, 2009
  */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 $request = $_POST['request'];

 switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
        if (isset( $_POST['items'] )) {
            $items = $_POST['items'];
            $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+            $tmpfilename = $filter->xssFilterHard($tmpfilename);
            G::LoadSystem( 'dynaformhandler' );

            $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
        break;
    case 'saveHidden':
        $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename);
        G::LoadSystem( 'dynaformhandler' );
        $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
        $hidden_items = Array ();
--- a/workflow/engine/methods/dynaforms/test.php
+++ b/workflow/engine/methods/dynaforms/test.php
@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
 	</select> <input type="submit" value="Send" />
 </form>
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 $test = $_POST['form']['test'];
 if ($test) {
+    $test = $filter->xssFilterHard($test);
    foreach ($test as $t) {
        echo 'You selected ', $t, '<br />';
    }
--- a/workflow/engine/templates/groups/groups_Tree.php
+++ b/workflow/engine/templates/groups/groups_Tree.php
@@ -29,6 +29,8 @@

  $WIDTH_PANEL = 350;

+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
  G::LoadClass('groups');

  $groups = new Groups();
@@ -47,6 +49,17 @@
    $UID         = htmlentities($group->getGrpUid());
    //$GROUP_TITLE = htmlentities($group->getGrpTitle());
    $GROUP_TITLE = strip_tags($group->getGrpTitle());
+    $ID_NEW         = G::LoadTranslation('ID_NEW');
+    $ID_GROUPS      = G::loadTranslation("ID_GROUPS");
+
+    $ID_EDIT     = $filter->xssFilterHard($ID_EDIT);
+    $ID_MEMBERS  = $filter->xssFilterHard($ID_MEMBERS);
+    $ID_DELETE   = $filter->xssFilterHard($ID_DELETE);
+    $UID         = $filter->xssFilterHard($UID);
+    $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE);
+    $ID_NEW      = $filter->xssFilterHard($ID_NEW);
+    $ID_GROUPS   = $filter->xssFilterHard($ID_GROUPS);
+
    $htmlGroup   .="
        <tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\">
          <td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td>
@@ -68,13 +81,13 @@
 					<div class="boxContentBlue">
 					  <table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0">
 					    <tr>
-						  <td class="userGroupTitle">'.G::loadTranslation("ID_GROUPS").'</td>
+						  <td class="userGroupTitle">'.$ID_GROUPS.'</td>
 						</tr>
 					  </table>
 					</div>
 					<div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
 					
-				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.G::LoadTranslation('ID_NEW').'</a></div>
+				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.$ID_NEW.'</a></div>
 				  	
 				  	<div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto">
 				  	  <table class="pagedTableDefault"><tr><td>'