Cleaned up some issues with xss on error pages.
This commit is contained in:
Chloe Deguzman
@@ -70,7 +70,7 @@
|
||||
<div class="block_exception clear_fix">
|
||||
<h2>
|
||||
<abbr title="RuntimeException">RuntimeException</abbr>:
|
||||
<pre><?php echo $message?></pre>
|
||||
<pre><?php echo htmlspecialchars($message)?></pre>
|
||||
</h2>
|
||||
</div>
|
||||
<div class="block">
|
||||
|
||||
@@ -313,7 +313,7 @@ class adminProxy extends HttpProxyController
|
||||
public function testingOption($params)
|
||||
{
|
||||
$data['success'] = true;
|
||||
$data['optionAuthS'] = $params->optionAuthS;
|
||||
$data['optionAuthS'] = htmlspecialchars($params->optionAuthS;
|
||||
return $data;
|
||||
|
||||
}
|
||||
|
||||
@@ -6,7 +6,7 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
|
||||
if ($actionAjax == "streaming") {
|
||||
|
||||
$app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
|
||||
$inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null;
|
||||
$inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
|
||||
$oAppDocument = new \AppDocument();
|
||||
|
||||
if (! isset( $fileData['version'] )) {
|
||||
@@ -52,7 +52,7 @@ if ($actionAjax == "streaming") {
|
||||
|
||||
if ($actionAjax == "fileMobile") {
|
||||
$app_uid = isset( $_REQUEST['a'] ) ? $_REQUEST['a'] : null;
|
||||
$inp_doc_uid = isset( $_REQUEST['d'] ) ? $_REQUEST['d'] : null;
|
||||
$inp_doc_uid = isset( $_REQUEST['d'] ) ? htmlspecialchars($_REQUEST['d']) : null;
|
||||
|
||||
$structure = file_get_contents(PATH_HTML ."/mobile/index.json");
|
||||
$structure = json_decode($structure);
|
||||
|
||||
@@ -32,7 +32,7 @@ $aFields = $oAppDocument->load( $_GET['a'] );
|
||||
require_once 'classes/model/OutputDocument.php';
|
||||
$oOutputDocument = new OutputDocument();
|
||||
$aOD = $oOutputDocument->load( $aFields['DOC_UID'] );
|
||||
$a = $_GET['a'];
|
||||
$a = htmlspecialchars($_GET['a']);
|
||||
$ext = strtolower( $aOD['OUT_DOC_GENERATE'] );
|
||||
|
||||
G::header( 'location: cases_ShowOutputDocument?a=' . $a . '&ext=' . $ext );
|
||||
|
||||
@@ -9,6 +9,7 @@ $urlLogin = $http . "://" . $host . "/sys/en/neoclassic/login/login";
|
||||
$urlHome = $urlLogin;
|
||||
|
||||
if (isset($_GET["url"]) && $_GET["url"] != "") {
|
||||
|
||||
$url = urldecode($_GET["url"]);
|
||||
$url = explode("/", $url);
|
||||
|
||||
@@ -18,14 +19,32 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
|
||||
|
||||
if (isset($url[1]) && preg_match("/^sys(.+)$/", $url[1], $match)) {
|
||||
$sysSys = $match[1];
|
||||
|
||||
// Check if sys path exists
|
||||
$checkDir = PATH_DATA."sites/".$sysSys;
|
||||
if(!is_dir($checkDir)) {
|
||||
$sysSys = '';
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (isset($url[2])) {
|
||||
$sysLang = $url[2];
|
||||
|
||||
if($sysLang != 'en') {
|
||||
var_dump($sysLang);
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($url[3])) {
|
||||
$sysSkin = $url[3];
|
||||
|
||||
// Check if sys path exists
|
||||
$checkDir = PATH_SKIN_ENGINE.$sysSkin;
|
||||
if(!is_dir($checkDir)) {
|
||||
$sysSkin = '';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {
|
||||
|
||||
Reference in New Issue
Block a user