From 0ef17ab94b4bfd0af25f29a62f0d748500718d85 Mon Sep 17 00:00:00 2001 From: "Paula V. Quispe" Date: Thu, 19 Mar 2015 17:24:54 -0400 Subject: [PATCH] I reviewed the XSS - MEDIUM in files --- .../templates/testAuthenticationSource.php | 7 ++++++- .../methods/departments/departments_Ajax.php | 5 +++++ .../dynaforms_checkDependentFields.php | 4 ++++ .../methods/dynaforms/fieldsHandlerAjax.php | 5 +++++ workflow/engine/methods/dynaforms/test.php | 3 +++ .../engine/templates/groups/groups_Tree.php | 17 +++++++++++++++-- 6 files changed, 38 insertions(+), 3 deletions(-) diff --git a/rbac/engine/templates/testAuthenticationSource.php b/rbac/engine/templates/testAuthenticationSource.php index 53207e126..af7d92ceb 100755 --- a/rbac/engine/templates/testAuthenticationSource.php +++ b/rbac/engine/templates/testAuthenticationSource.php @@ -22,6 +22,10 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. * */ + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS); + global $G_TABLE; global $G_CONTENT; global $HTTP_SESSION_VARS; @@ -88,7 +92,8 @@ $oResult = $oLdap->search($rootDn, $sFilter, $aParams); if (PEAR::isError($oResult)) { - print ( $oLdap->message); + $oLdap->message = $filter->xssFilterHard($oLdap->message); + print ( $oLdap->message); return $oResult; } /* diff --git a/workflow/engine/methods/departments/departments_Ajax.php b/workflow/engine/methods/departments/departments_Ajax.php index 05940d560..531a08ceb 100755 --- a/workflow/engine/methods/departments/departments_Ajax.php +++ b/workflow/engine/methods/departments/departments_Ajax.php @@ -23,6 +23,11 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_REQUEST = $filter->xssFilterHard($_REQUEST); + function LookForChildren ($parent, $level, $aDepUsers) { G::LoadClass( 'configuration' ); diff --git a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php index 9d3b65193..b26680768 100755 --- a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php +++ b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php @@ -28,6 +28,10 @@ * also the functionality of dependent fields in grids doesn't depends in this * file so this is somewhat expendable. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); + function subDependencies ($k, &$G_FORM, &$aux, $grid = '') { $myDependentFields = ''; diff --git a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php index 01c8002c1..a5b1ddfc9 100755 --- a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php +++ b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php @@ -25,6 +25,9 @@ * @Date Aug 26th, 2009 */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); $request = $_POST['request']; switch ($request) { @@ -32,6 +35,7 @@ switch ($request) { if (isset( $_POST['items'] )) { $items = $_POST['items']; $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename); G::LoadSystem( 'dynaformhandler' ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); @@ -53,6 +57,7 @@ switch ($request) { break; case 'saveHidden': $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE']; + $tmpfilename = $filter->xssFilterHard($tmpfilename); G::LoadSystem( 'dynaformhandler' ); $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" ); $hidden_items = Array (); diff --git a/workflow/engine/methods/dynaforms/test.php b/workflow/engine/methods/dynaforms/test.php index 4dfc23836..9999dc690 100755 --- a/workflow/engine/methods/dynaforms/test.php +++ b/workflow/engine/methods/dynaforms/test.php @@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) { xssFilterHard($test); foreach ($test as $t) { echo 'You selected ', $t, '
'; } diff --git a/workflow/engine/templates/groups/groups_Tree.php b/workflow/engine/templates/groups/groups_Tree.php index 53a2edc13..acccedc6f 100755 --- a/workflow/engine/templates/groups/groups_Tree.php +++ b/workflow/engine/templates/groups/groups_Tree.php @@ -29,6 +29,8 @@ $WIDTH_PANEL = 350; + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); G::LoadClass('groups'); $groups = new Groups(); @@ -47,6 +49,17 @@ $UID = htmlentities($group->getGrpUid()); //$GROUP_TITLE = htmlentities($group->getGrpTitle()); $GROUP_TITLE = strip_tags($group->getGrpTitle()); + $ID_NEW = G::LoadTranslation('ID_NEW'); + $ID_GROUPS = G::loadTranslation("ID_GROUPS"); + + $ID_EDIT = $filter->xssFilterHard($ID_EDIT); + $ID_MEMBERS = $filter->xssFilterHard($ID_MEMBERS); + $ID_DELETE = $filter->xssFilterHard($ID_DELETE); + $UID = $filter->xssFilterHard($UID); + $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE); + $ID_NEW = $filter->xssFilterHard($ID_NEW); + $ID_GROUPS = $filter->xssFilterHard($ID_GROUPS); + $htmlGroup .=" @@ -68,13 +81,13 @@
- +
'.G::loadTranslation("ID_GROUPS").''.$ID_GROUPS.'
-
'.G::LoadTranslation('ID_NEW').'
+
'.$ID_NEW.'
'