fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleaned up some issues with xss on error pages.

Browse Source
This commit is contained in:
Chloe Deguzman
2016-03-02 15:51:51 +00:00
parent d74b24df43
commit 2d6917178d
5 changed files with 26 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
framework/src/templates/Exception.phtml
View File

@@ -70,7 +70,7 @@
<div class="block_exception clear_fix"> <div class="block_exception clear_fix">
<h2> <h2>
<abbr title="RuntimeException">RuntimeException</abbr>: <abbr title="RuntimeException">RuntimeException</abbr>:
<pre><?php echo $message?></pre> <pre><?php echo htmlspecialchars($message)?></pre>
</h2> </h2>
</div> </div>
<div class="block"> <div class="block">

2
workflow/engine/controllers/adminProxy.php
View File

@@ -313,7 +313,7 @@ class adminProxy extends HttpProxyController
public function testingOption($params) public function testingOption($params)
{ {
$data['success'] = true; $data['success'] = true;
$data['optionAuthS'] = $params->optionAuthS; $data['optionAuthS'] = htmlspecialchars($params->optionAuthS;
return $data; return $data;
} }

4
workflow/engine/methods/cases/casesStreamingFile.php
View File

@@ -6,7 +6,7 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == "streaming") { if ($actionAjax == "streaming") {
$app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null; $app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
$inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null; $inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
$oAppDocument = new \AppDocument(); $oAppDocument = new \AppDocument();
if (! isset( $fileData['version'] )) { if (! isset( $fileData['version'] )) {
@@ -52,7 +52,7 @@ if ($actionAjax == "streaming") {
if ($actionAjax == "fileMobile") { if ($actionAjax == "fileMobile") {
$app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null; $app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
$inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null; $inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
$structure = file_get_contents(PATH_HTML ."/mobile/index.json"); $structure = file_get_contents(PATH_HTML ."/mobile/index.json");
$structure = json_decode($structure); $structure = json_decode($structure);

2
workflow/engine/methods/cases/cases_Redirect.php
View File

@@ -32,7 +32,7 @@ $aFields = $oAppDocument->load( $_GET['a'] );
require_once 'classes/model/OutputDocument.php'; require_once 'classes/model/OutputDocument.php';
$oOutputDocument = new OutputDocument(); $oOutputDocument = new OutputDocument();
$aOD = $oOutputDocument->load( $aFields['DOC_UID'] ); $aOD = $oOutputDocument->load( $aFields['DOC_UID'] );
$a = $_GET['a']; $a = htmlspecialchars($_GET['a']);
$ext = strtolower( $aOD['OUT_DOC_GENERATE'] ); $ext = strtolower( $aOD['OUT_DOC_GENERATE'] );
G::header( 'location: cases_ShowOutputDocument?a=' . $a . '&ext=' . $ext ); G::header( 'location: cases_ShowOutputDocument?a=' . $a . '&ext=' . $ext );

19
workflow/engine/skinEngine/neoclassic/error404.php
View File

@@ -9,6 +9,7 @@ $urlLogin = $http . "://" . $host . "/sys/en/neoclassic/login/login";
$urlHome = $urlLogin; $urlHome = $urlLogin;
if (isset($_GET["url"]) && $_GET["url"] != "") { if (isset($_GET["url"]) && $_GET["url"] != "") {
$url = urldecode($_GET["url"]); $url = urldecode($_GET["url"]);
$url = explode("/", $url); $url = explode("/", $url);
@@ -18,14 +19,32 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
if (isset($url[1]) && preg_match("/^sys(.+)$/", $url[1], $match)) { if (isset($url[1]) && preg_match("/^sys(.+)$/", $url[1], $match)) {
$sysSys = $match[1]; $sysSys = $match[1];
// Check if sys path exists
$checkDir = PATH_DATA."sites/".$sysSys;
if(!is_dir($checkDir)) {
$sysSys = '';
}
} }
if (isset($url[2])) { if (isset($url[2])) {
$sysLang = $url[2]; $sysLang = $url[2];
if($sysLang != 'en') {
var_dump($sysLang);
}
} }
if (isset($url[3])) { if (isset($url[3])) {
$sysSkin = $url[3]; $sysSkin = $url[3];
// Check if sys path exists
$checkDir = PATH_SKIN_ENGINE.$sysSkin;
if(!is_dir($checkDir)) {
$sysSkin = '';
}
} }
if ($sysSys != "" && $sysLang != "" && $sysSkin != "") { if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {