xss 2

2015-03-17 17:09:30 -04:00
parent db29297e35
commit 177a85512e
7 changed files with 56 additions and 2 deletions
--- a/workflow/engine/classes/class.processMap.php
+++ b/workflow/engine/classes/class.processMap.php
@@ -2356,7 +2356,11 @@ class processMap
              $G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER')));
              G::RenderPage('publish');
              //return true; */
            G::LoadSystem('inputfilter');
            $filter = new InputFilter();
            $schedulerPath = SYS_URI . "cases/cases_Scheduler_List";
            $schedulerPath = $filter->xssFilterHard($schedulerPath);
            $sProcessUID = $filter->xssFilterHard($sProcessUID);
            $html = "<iframe  WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>";
            echo $html;
        } catch (Exception $oError) {
--- a/workflow/engine/classes/class.propelTable.php
+++ b/workflow/engine/classes/class.propelTable.php
@@ -560,6 +560,12 @@ class propelTable
     */
    public function renderTable ($block = '', $fields = '')
    { 
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $fields = $filter->xssFilterHard($fields);
        $this->orderBy = $filter->xssFilterHard($this->orderBy);
        $this->currentPage = $filter->xssFilterHard($this->currentPage);
        //Render Title
        $thereisnotitle = true;
        foreach ($this->fields as $r => $rval) {
@@ -603,6 +609,11 @@ class propelTable
            $this->tpl->assign( 'pagedTable_Name', $this->name );
            $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
            $this->tpl->assign( "title", $this->title );
            $this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
            $this->filterForm = $filter->xssFilterHard($this->filterForm);
            $this->menu = $filter->xssFilterHard($this->menu);
            if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                if ($this->menu === '') {
@@ -839,6 +850,12 @@ class propelTable
                }
                $this->tpl->assign( "pagesEnum", $pagesEnum );
            }
            $this->name = $filter->xssFilterHard($this->name);
            $this->orderBy = $filter->xssFilterHard($this->orderBy);
            $this->currentPage = $filter->xssFilterHard($this->currentPage);
            $this->id = $filter->xssFilterHard($this->id);
            ?>
            <script language='JavaScript'>
--- a/workflow/engine/methods/cases/casesList_Ajax.php
+++ b/workflow/engine/methods/cases/casesList_Ajax.php
@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
 require_once ("classes/model/AppDelay.php");*/
 G::LoadClass( 'case' );
 G::LoadSystem('inputfilter');
 $filter = new InputFilter();
 $_POST = $filter->xssFilterHard($_POST);
 $_REQUEST = $filter->xssFilterHard($_REQUEST);
 $_SESSION = $filter->xssFilterHard($_SESSION); 
 $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
 function filterUserListArray($users = array(), $filter = '')
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -1,4 +1,8 @@
 <?php
 G::LoadSystem('inputfilter');
 $filter = new InputFilter();
 $_REQUEST = $filter->xssFilterHard($_REQUEST);
 if (! isset( $_REQUEST['action'] )) {
    $res['success'] = false;
    $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
 function deleteSkin ()
 {
    try {
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
        $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
        if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
        }
--- a/workflow/engine/methods/tracker/tracker_Ajax.php
+++ b/workflow/engine/methods/tracker/tracker_Ajax.php
@@ -22,6 +22,10 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 try {
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $_POST = $filter->xssFilterHard($_POST);
    if (isset( $_POST['form']['action'] )) {
        $_POST['action'] = $_POST['form']['action'];
    }
--- a/workflow/engine/methods/users/usersAjax.php
+++ b/workflow/engine/methods/users/usersAjax.php
@@ -1,4 +1,13 @@
 <?php
 G::LoadSystem('inputfilter');
 $filter = new InputFilter();
 $_POST = $filter->xssFilterHard($_POST);
 if(isset($_SESSION['USER_LOGGED'])) { 
    $_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']); 
 }
 if(isset($_SESSION['USR_USERNAME'])) { 
 $_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
 }
 global $RBAC;
 $result = new StdClass();
--- a/workflow/engine/methods/users/users_Ajax.php
+++ b/workflow/engine/methods/users/users_Ajax.php
@@ -23,6 +23,12 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 try {
    G::LoadSystem('inputfilter');
    $filter = new InputFilter();
    $_GET = $filter->xssFilterHard($_GET);
    $_POST = $filter->xssFilterHard($_POST);
    $_REQUEST = $filter->xssFilterHard($_REQUEST);
    global $RBAC;
    switch ($RBAC->userCanAccess('PM_LOGIN')) {
        case - 2: