I reviewed the XSS - MEDIUM in files
This commit is contained in:
Paula V. Quispe
@@ -23,12 +23,19 @@
|
||||
*
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
global $HTTP_SESSION_VARS;
|
||||
global $G_FORM;
|
||||
$HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
|
||||
$HTTP_GET_VARS = $filter->xssFilterHard($HTTP_GET_VARS);
|
||||
$_GET = $filter->xssFilterHard($_GET);
|
||||
|
||||
$path = '';
|
||||
$showFieldAjax = 'showFieldAjax.php';
|
||||
|
||||
$serverAjax = G::encryptLink($path.$showFieldAjax);
|
||||
$serverAjax = $filter->xssFilterHard($serverAjax);
|
||||
|
||||
?>
|
||||
<script language="JavaScript">
|
||||
@@ -40,10 +47,14 @@ function RefreshDependentFields(ObjectName, Fields, InitValue) {
|
||||
global $HTTP_GET_VARS;
|
||||
if ($HTTP_SESSION_VARS['CURRENT_APPLICATION'] == '') $HTTP_SESSION_VARS['CURRENT_APPLICATION'] = '0';
|
||||
$appid = $HTTP_SESSION_VARS['CURRENT_APPLICATION'];
|
||||
if ($HTTP_GET_VARS['dynaform'] != '')
|
||||
if ($HTTP_GET_VARS['dynaform'] != ''){
|
||||
$Dynaform = '&__dynaform__=' . $HTTP_GET_VARS['dynaform'];
|
||||
if ($HTTP_GET_VARS['filename'] != '')
|
||||
$Dynaform = $filter->xssFilterHard($Dynaform);
|
||||
}
|
||||
if ($HTTP_GET_VARS['filename'] != ''){
|
||||
$Dynaform = '&__filename__=' . $HTTP_GET_VARS['filename'];
|
||||
$Dynaform = $filter->xssFilterHard($Dynaform);
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
|
||||
@@ -502,6 +502,8 @@ function fieldReset($translation)
|
||||
|
||||
function fieldComplete($translation)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
global $action;
|
||||
|
||||
$arrayField = getDefaultFields($action, $translation);
|
||||
@@ -509,10 +511,15 @@ function fieldComplete($translation)
|
||||
|
||||
//Get values from JSON request
|
||||
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
|
||||
$first = $filter->xssFilterHard($first);
|
||||
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
|
||||
$second = $filter->xssFilterHard($second);
|
||||
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
|
||||
$pmtable = $filter->xssFilterHard($pmtable);
|
||||
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
|
||||
$rowsperpage = $filter->xssFilterHard($rowsperpage);
|
||||
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
|
||||
$dateformat = $filter->xssFilterHard($dateformat);
|
||||
|
||||
//Complete fields
|
||||
foreach ($first as $index1 => $value1) {
|
||||
@@ -560,17 +567,24 @@ function fieldComplete($translation)
|
||||
|
||||
function fieldLabelReset($translation)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
global $action;
|
||||
|
||||
$arrayField = getDefaultFields($action, $translation);
|
||||
$arrayConfig = getDefaultConfig($action, $translation);
|
||||
|
||||
//Get values from JSON request
|
||||
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
|
||||
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
|
||||
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
|
||||
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
|
||||
$first = $filter->xssFilterHard($first);
|
||||
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
|
||||
$second = $filter->xssFilterHard($second);
|
||||
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
|
||||
$pmtable = $filter->xssFilterHard($pmtable);
|
||||
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
|
||||
$rowsperpage = $filter->xssFilterHard($rowsperpage);
|
||||
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
|
||||
$dateformat = $filter->xssFilterHard($dateformat);
|
||||
|
||||
//Reset label's fields
|
||||
foreach ($second as $index1 => $value1) {
|
||||
@@ -592,6 +606,8 @@ function fieldLabelReset($translation)
|
||||
|
||||
function fieldSave()
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
global $conf;
|
||||
global $action;
|
||||
|
||||
@@ -599,11 +615,15 @@ function fieldSave()
|
||||
$arrayConfig = getDefaultConfig($action, 0);
|
||||
|
||||
//Get values from JSON request
|
||||
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
|
||||
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
|
||||
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
|
||||
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
|
||||
$first = $filter->xssFilterHard($first);
|
||||
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
|
||||
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
|
||||
$pmtable = $filter->xssFilterHard($pmtable);
|
||||
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
|
||||
$rowsperpage = $filter->xssFilterHard($rowsperpage);
|
||||
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
|
||||
$dateformat = $filter->xssFilterHard($dateformat);
|
||||
|
||||
//Adding the key fields to second array
|
||||
//Required fields for AppCacheView.php - addPMFieldsToCriteria()
|
||||
|
||||
@@ -1,12 +1,22 @@
|
||||
<?php
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
|
||||
|
||||
$callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
|
||||
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
|
||||
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
|
||||
$query = isset($_POST['query']) ? $_POST['query'] : '';
|
||||
$callback = $filter->xssFilterHard($callback);
|
||||
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
|
||||
$dir = $filter->xssFilterHard($dir);
|
||||
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
|
||||
$sort = $filter->xssFilterHard($sort);
|
||||
$query = isset($_POST['query']) ? $_POST['query'] : '';
|
||||
$query = $filter->xssFilterHard($query);
|
||||
$option = '';
|
||||
|
||||
if ( isset($_GET['t'] ) ) {
|
||||
$option = $_GET['t'];
|
||||
$option = $filter->xssFilterHard($option);
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
@@ -5,12 +5,21 @@
|
||||
* and open the template in the editor.
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
|
||||
$callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
|
||||
$callback = $filter->xssFilterHard($callback);
|
||||
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
|
||||
$dir = $filter->xssFilterHard($dir);
|
||||
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
|
||||
$sort = $filter->xssFilterHard($sort);
|
||||
$query = isset($_POST['query']) ? $_POST['query'] : '';
|
||||
$query = $filter->xssFilterHard($query);
|
||||
$tabUid = isset($_POST['table']) ? $_POST['table'] : '';
|
||||
$tabUid = $filter->xssFilterHard($tabUid);
|
||||
$action = isset($_POST['action']) ? $_POST['action'] : 'todo';
|
||||
$action = $filter->xssFilterHard($action);
|
||||
|
||||
try {
|
||||
G::LoadClass("BasePeer" );
|
||||
|
||||
@@ -1,4 +1,11 @@
|
||||
<?php
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
|
||||
$_GET['t'] = $filter->xssFilterHard($_GET['t']);
|
||||
|
||||
$callback = isset( $_POST['callback'] ) ? $_POST['callback'] : 'stcCallback1001';
|
||||
$dir = isset( $_POST['dir'] ) ? $_POST['dir'] : 'DESC';
|
||||
$sort = isset( $_POST['sort'] ) ? $_POST['sort'] : '';
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
if(isset($_GET['srv'])) {
|
||||
$_GET['srv'] = $filter->xssFilterHard($_GET['srv']);
|
||||
}
|
||||
if(isset($_GET['usr'])) {
|
||||
$_GET['usr'] = $filter->xssFilterHard($_GET['usr']);
|
||||
}
|
||||
if(isset($_GET['pass'])) {
|
||||
$_GET['pass'] = $filter->xssFilterHard($_GET['pass']);
|
||||
}
|
||||
if(isset($_GET['gen'])) {
|
||||
$_GET['gen'] = $filter->xssFilterHard($_GET['gen']);
|
||||
}
|
||||
?>
|
||||
<form action="r">
|
||||
Server: <input type="text" name="srv"
|
||||
value="<?php echo isset($_GET['srv'])?$_GET['srv']:'';?>"> User: <input
|
||||
|
||||
@@ -45,7 +45,10 @@ if ($access != 1) {
|
||||
}
|
||||
}
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$form = $_POST['form'];
|
||||
$form = $filter->xssFilterHard($form);
|
||||
|
||||
//$tasUid = $form['TASKS'];
|
||||
$tasUid = $form['TAS_PARENT'];
|
||||
|
||||
@@ -29,6 +29,12 @@
|
||||
* @date Apr 5th, 2010
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_GET['i18'] = $filter->xssFilterHard($_GET['i18']);
|
||||
$_GET['newSite'] = $filter->xssFilterHard($_GET['newSite']);
|
||||
$_GET['module'] = $filter->xssFilterHard($_GET['module']);
|
||||
|
||||
if (($RBAC_Response = $RBAC->userCanAccess( "PM_SETUP" )) != 1)
|
||||
return $RBAC_Response;
|
||||
|
||||
|
||||
@@ -30,7 +30,11 @@
|
||||
* @LastModification 30/05/2008
|
||||
*/
|
||||
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$ID_ERROR = $filter->xssFilterHard(G::LoadTranslation('ID_ERROR'));
|
||||
$ID_REQUIRED_FIELDS_ERROR = $filter->xssFilterHard(G::LoadTranslation('ID_REQUIRED_FIELDS_ERROR'));
|
||||
|
||||
$width_content = '500px';
|
||||
|
||||
@@ -39,7 +43,7 @@
|
||||
<div class="boxContentBlue">
|
||||
<table width="100%" style="margin:0px;" cellspacing="0" cellpadding="0">
|
||||
<tr>
|
||||
<td class="userGroupTitle"><font color="red">'.G::LoadTranslation('ID_ERROR').'! </font> '.G::LoadTranslation('ID_REQUIRED_FIELDS_ERROR').'</td>
|
||||
<td class="userGroupTitle"><font color="red">'.$ID_ERROR.'! </font> '.$ID_REQUIRED_FIELDS_ERROR.'</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
@@ -31,6 +31,10 @@
|
||||
*/
|
||||
|
||||
G::LoadClass('case');
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION, "url");
|
||||
$nextStep = $filter->xssFilterHard($_POST['NextStep'], "url");
|
||||
|
||||
//variables
|
||||
$oApp= new Cases();
|
||||
@@ -44,6 +48,7 @@ for ($i=0; $i<count($_SESSION['TRIGGER_DEBUG']['DATA']); $i++) {
|
||||
}
|
||||
|
||||
$aVariables = array_merge($aFields['APP_DATA'], $aVariables);
|
||||
$aVariables = $filter->xssFilterHard($aVariables);
|
||||
ksort($aVariables);
|
||||
|
||||
//triggers
|
||||
@@ -262,9 +267,9 @@ if (count($DEBUG_POST) > 0) {?>
|
||||
|
||||
<!---->
|
||||
|
||||
<?php if (isset($_POST['NextStep'])) {?>
|
||||
<?php if (isset($nextStep)) {?>
|
||||
<input type="button" value="Continue" class="module_app_button___gray" onclick="javascript:location.href='
|
||||
<?php echo $_POST['NextStep']; ?>'">
|
||||
<?php echo $nextStep; ?>'">
|
||||
<?php
|
||||
}?>
|
||||
|
||||
|
||||
@@ -1,8 +1,12 @@
|
||||
<?php if (isset($_POST['NextStep'])) {?>
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
if (isset($_POST['NextStep'])) {
|
||||
$nextStep = $filter->xssFilterHard($_POST['NextStep'], "url"); ?>
|
||||
<div class="ui-widget-header ui-corner-all" width="100%" align="center">
|
||||
Processmaker - Debugger (Break Point)
|
||||
<input type="button" value="Continue" class="module_app_button___gray"
|
||||
onclick="javascript:location.href='<?php echo $_POST['NextStep']; ?>'">
|
||||
onclick="javascript:location.href='<?php echo $nextStep; ?>'">
|
||||
</div>
|
||||
<?php
|
||||
}
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
if(isset($_GET['gui'])) {
|
||||
$_GET['gui'] = $filter->xssFilterHard($_GET['gui']);
|
||||
$gui = $_GET['gui'];
|
||||
}
|
||||
?>
|
||||
<html>
|
||||
<style>
|
||||
.Footer{
|
||||
@@ -12,7 +20,7 @@
|
||||
}
|
||||
</style>
|
||||
<body onresize="autoResizeScreen()" onload="autoResizeScreen()">
|
||||
<iframe name="frameMain" id="frameMain" src ="../reportTables/mainInit?PRO_UID=<?php echo $_GET['gui']?>" width="99%" height="200" frameborder="0">
|
||||
<iframe name="frameMain" id="frameMain" src ="../reportTables/mainInit?PRO_UID=<?php echo $gui?>" width="99%" height="200" frameborder="0">
|
||||
<p>Your browser does not support iframes.</p>
|
||||
</iframe>
|
||||
</body>
|
||||
|
||||
@@ -32,16 +32,21 @@
|
||||
*/
|
||||
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
G::LoadClass('net');
|
||||
$host = new net($_POST['srv']);
|
||||
$host = $filter->xssFilterHard($host);
|
||||
$width_content = '550px';
|
||||
$filter = new InputFilter();
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$ID_SETUP_MAILCONF_TITLE = $filter->xssFilterHard(G::loadTranslation('ID_SETUP_MAILCONF_TITLE'));
|
||||
|
||||
$html = '
|
||||
<div class="boxTopBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
|
||||
<div class="boxContentBlue">
|
||||
<table style="margin:0px;" cellspacing="0" cellpadding="0">
|
||||
<tr>
|
||||
<td class="userGroupTitle"><center>'.G::loadTranslation('ID_SETUP_MAILCONF_TITLE').'</center></td>
|
||||
<td class="userGroupTitle"><center>'.$ID_SETUP_MAILCONF_TITLE.'</center></td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user