I reviewed the XSS - MEDIUM in last files

2015-03-20 16:42:30 -04:00
parent dda8a2a245
commit 1825e6aed8
2 changed files with 9 additions and 0 deletions
--- a/workflow/engine/methods/controls/varsAjaxByType.php
+++ b/workflow/engine/methods/controls/varsAjaxByType.php
@@ -35,6 +35,10 @@
 */

 G::LoadClass( 'xmlfield_InputPM' );
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+
 $aFields = getDynaformsVars( $_POST['sProcess'], true, isset( $_POST['bIncMulSelFields'] ) ? $_POST['bIncMulSelFields'] : 0 );
 $aType = $_POST['type'];

--- a/workflow/engine/methods/processes/processes_Import_Bpmn.php
+++ b/workflow/engine/methods/processes/processes_Import_Bpmn.php
@@ -1,12 +1,17 @@
 <?php

 ini_set("max_execution_time", 0);
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_FILES = $filter->xssFilterHard($_FILES);
+$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);

 if (isset($_FILES["PROCESS_FILENAME"]) &&
        pathinfo($_FILES["PROCESS_FILENAME"]["name"], PATHINFO_EXTENSION) == "bpmn"
 ) {
    try {
        $createMode = $_REQUEST["createMode"];
+        $createMode = $filter->xssFilterHard($createMode);
        $name = pathinfo($_FILES["PROCESS_FILENAME"]["name"], PATHINFO_FILENAME);
        $data = array(
            "type" => "bpmnProject",