fernando/luos
1
0
Fork 0
Code Releases Activity

HOR-282 Added XSS filtering to open cases function.

Browse Source
This commit is contained in:
Chloe Deguzman
2016-03-08 15:40:42 +00:00
parent 6778980b0d
commit 2a8b1c1238
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
workflow/engine/methods/cases/open.php
View File

@@ -38,8 +38,8 @@ if (! isset( $_GET['APP_UID'] ) || ! isset( $_GET['DEL_INDEX'] )) {
if (isset( $_GET['APP_NUMBER'] )) {
G::LoadClass( 'case' );
$oCase = new Cases();
$_GET['APP_UID'] = $oCase->getApplicationUIDByNumber( $_GET['APP_NUMBER'] );
$_GET['DEL_INDEX'] = $oCase->getCurrentDelegation( $_GET['APP_UID'], $_SESSION['USER_LOGGED'] );
$appUid = $oCase->getApplicationUIDByNumber( $_GET['APP_NUMBER'] );
$delIndex = $oCase->getCurrentDelegation( $_GET['APP_UID'], $_SESSION['USER_LOGGED'] );
if (is_null( $_GET['APP_UID'] )) {
throw new Exception( G::LoadTranslation( 'ID_CASE_DOES_NOT_EXISTS' ) );
}
@@ -49,6 +49,9 @@ if (! isset( $_GET['APP_UID'] ) || ! isset( $_GET['DEL_INDEX'] )) {
} else {
throw new Exception( "Application ID or Delegation Index is missing!. The System can't open the case." );
}
} else {
$appUid = htmlspecialchars($_GET['APP_UID']);
$delIndex = htmlspecialchars($_GET['DEL_INDEX']);
}
require_once ("classes/model/Step.php");
@@ -86,19 +89,17 @@ foreach ($_GET as $k => $v) {
$uri .= ($uri == '') ? "$k=$v" : "&$k=$v";
}
//$case = $oCase->loadCase( $_GET['APP_UID'], $_GET['DEL_INDEX'] );
//$case = $oCase->loadCase( $appUid, $delIndex );
if( isset($_GET['action']) && ($_GET['action'] == 'jump') ) {
$case = $oCase->loadCase( $_GET['APP_UID'], $_GET['DEL_INDEX'], $_GET['action']);
$case = $oCase->loadCase( $appUid, $delIndex, $_GET['action']);
} else {
$case = $oCase->loadCase( $_GET['APP_UID'], $_GET['DEL_INDEX'] );
$case = $oCase->loadCase( $appUid, $delIndex );
}
if (! isset( $_GET['to_revise'] )) {
$script = 'cases_Open?';
} else {
$script = 'cases_OpenToRevise?';
$delIndex = $_GET['DEL_INDEX'];
$appUid = $_GET['APP_UID'];
$oHeadPublisher->assign( 'treeToReviseTitle', G::loadtranslation( 'ID_STEP_LIST' ) );
$casesPanelUrl = 'casesToReviseTreeContent?APP_UID=' . $appUid . '&DEL_INDEX=' . $delIndex;
$oHeadPublisher->assign( 'casesPanelUrl', $casesPanelUrl ); //translations
@@ -122,7 +123,7 @@ $oHeadPublisher->assign( 'uri', $script . $uri );
$oHeadPublisher->assign( '_APP_NUM', '#: ' . $case['APP_NUMBER'] );
$oHeadPublisher->assign( '_PROJECT_TYPE', in_array($case['PRO_UID'], $bpmnProjects) ? 'bpmn' : 'classic' );
$oHeadPublisher->assign( '_PRO_UID', $case['PRO_UID']);
$oHeadPublisher->assign( '_APP_UID', $_GET['APP_UID']);
$oHeadPublisher->assign( '_APP_UID', $appUid);
$oHeadPublisher->assign( '_ENV_CURRENT_DATE', $conf->getSystemDate( date( 'Y-m-d' ) ) );
$oHeadPublisher->assign( '_ENV_CURRENT_DATE_NO_FORMAT', date( 'Y-m-d-h-i-A' ) );
$oHeadPublisher->assign( 'idfirstform', is_null( $oStep ) ? '' : $oStep->getStepUidObj() );