diff --git a/workflow/engine/methods/controls/varsAjax.php b/workflow/engine/methods/controls/varsAjax.php index 82bb48166..a00050846 100755 --- a/workflow/engine/methods/controls/varsAjax.php +++ b/workflow/engine/methods/controls/varsAjax.php @@ -22,11 +22,19 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. * */ + +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_REQUEST = $filter->xssFilterHard($_REQUEST); + $_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:''; $_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:''; $_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:''; $_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:''; +$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]); + $html = '
'; $html .= '
'; $html .= ''; @@ -40,24 +48,24 @@ $html .= ''; $html .= ''; $html .= ''; $html .= ''; $html .= ''; $html .= ''; $html .= ''; $html .= ''; @@ -79,7 +87,7 @@ $html .= ''; $html .= ''; $html .= ''; $html .= ''; -$html .= ''; +$html .= ''; $html .= ''; $html .= '
'; -$html .= ''; +$html .= ''; $html .= ''; -$html .= ''; +$html .= ''; $html .= ''; -$html .= ''; +$html .= ''; $html .= '
'; $html .= '     '; $html .= '
'; @@ -114,19 +122,19 @@ $html .= ''; $html .= '
'; $html .= ''; $html .= ''; -$html .= ''; +$html .= ''; $html .= ''; $html .= ''; $html .= ''; -$html .= ''; -$html .= ''; +$html .= ''; +$html .= ''; $html .= ''; $html .= '
'.G::LoadTranslation('ID_RESULT').''.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'@@SYS_LANG
'.G::LoadTranslation('ID_DESCRIPTION').''.G::LoadTranslation('ID_SYSTEM').''.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).''.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'
'; $html .= ''; $html .= '
'; $html .= ''; $html .= ''; $html .= ''; @@ -147,4 +155,4 @@ if (isset($_REQUEST['displayOption'])) { echo $html; -G::RenderPage( 'publish', $display ); +G::RenderPage( 'publish', $display ); \ No newline at end of file diff --git a/workflow/engine/methods/dynaforms/dynaforms_Editor.php b/workflow/engine/methods/dynaforms/dynaforms_Editor.php index eb7933dc4..916f46862 100755 --- a/workflow/engine/methods/dynaforms/dynaforms_Editor.php +++ b/workflow/engine/methods/dynaforms/dynaforms_Editor.php @@ -21,6 +21,12 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ + +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_GET = $filter->xssFilterHard($_GET); + if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) { return $RBAC_Response; } @@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes'; $G_ID_MENU_SELECTED = 'PROCESSES'; $G_ID_SUB_MENU_SELECTED = 'FIELDS'; +$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']); +$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']); + $PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0'; $DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0'; $_SESSION['PROCESS'] = $_GET['PRO_UID']; @@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) { $process->load( $PRO_UID ); } else { //TODO + $PRO_UID = $filter->xssFilterHard($PRO_UID); print ("$PRO_UID doesn't exist, continue? yes") ; } diff --git a/workflow/engine/methods/outputdocs/outputdocs_Ajax.php b/workflow/engine/methods/outputdocs/outputdocs_Ajax.php index a075149dc..c187ae60f 100755 --- a/workflow/engine/methods/outputdocs/outputdocs_Ajax.php +++ b/workflow/engine/methods/outputdocs/outputdocs_Ajax.php @@ -1,4 +1,7 @@ xssFilterHard($_REQUEST); $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :''; @@ -9,6 +12,7 @@ if ($action == '') { switch ($action) { case 'setTemplateFile': + $_FILES = $filter->xssFilterHard($_FILES); //print_r($_FILES); $_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name']; // file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name'])); @@ -21,6 +25,7 @@ switch ($action) { break; case 'getTemplateFile': + $_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']); $aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp" ); $sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] ); @@ -28,11 +33,15 @@ switch ($action) { $searchPos = strpos( $strRev, '.' ); $pos = (strlen( $sFileName ) - 1) - $searchPos; $sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) ); - if (! in_array( $sExtension, $aExtensions )) - echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] ); + if (! in_array( $sExtension, $aExtensions )) { + $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] ); + $content = $filter->xssFilterHard($content); + echo $content; + } break; case 'loadTemplateContent': + $_POST = $filter->xssFilterHard($_POST); require_once 'classes/model/OutputDocument.php'; $ooutputDocument = new OutputDocument(); if (isset( $_POST['OUT_DOC_UID'] )) { @@ -43,6 +52,7 @@ switch ($action) { break; case 'lookForNameOutput': + $_POST = $filter->xssFilterHard($_POST); require_once ('classes/model/Content.php'); require_once ("classes/model/OutputDocument.php"); diff --git a/workflow/engine/methods/processes/processes_Ajax.php b/workflow/engine/methods/processes/processes_Ajax.php index 37f3229dd..9602959af 100755 --- a/workflow/engine/methods/processes/processes_Ajax.php +++ b/workflow/engine/methods/processes/processes_Ajax.php @@ -38,6 +38,13 @@ try { break; } */ //$oJSON = new Services_JSON(); + + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $_GET = $filter->xssFilterHard($_GET); + $_POST = $filter->xssFilterHard($_POST); + $_REQUEST = $filter->xssFilterHard($_REQUEST); + //$_SESSION = $filter->xssFilterHard($_SESSION); if (isset($_REQUEST['data'])) { if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") { @@ -741,6 +748,8 @@ try { // G::RenderPage( 'publish', 'blank' ); break; case 'saveFile': + $_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']); + $_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']); global $G_PUBLISH; $G_PUBLISH = new Publisher(); global $RBAC; @@ -754,6 +763,7 @@ try { $sDir = ""; if (isset($_REQUEST['MAIN_DIRECTORY'])) { + $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']); $sDir = $_REQUEST['MAIN_DIRECTORY']; } switch ($sDir) { @@ -775,6 +785,7 @@ try { $content = base64_decode($content); fwrite($fp, $content); fclose($fp); + $sDirectory = $filter->xssFilterHard($sDirectory); echo 'saved: ' . $sDirectory; } break; @@ -830,8 +841,10 @@ try { * */ case 'getVariablePrefix': + $_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']); $_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING'; - echo G::LoadTranslation($_REQUEST['prefix']); + $prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix'])); + echo G::LoadTranslation($prefix); break; /** * return an array with all Variables of Grid type diff --git a/workflow/engine/methods/setup/emails_Ajax.php b/workflow/engine/methods/setup/emails_Ajax.php index 6b533be25..c380a18d9 100755 --- a/workflow/engine/methods/setup/emails_Ajax.php +++ b/workflow/engine/methods/setup/emails_Ajax.php @@ -21,6 +21,13 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ + +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +if(isset($_SERVER['SERVER_NAME'])) { +$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']); +} global $RBAC; $RBAC->requirePermissions( 'PM_SETUP_ADVANCE' ); diff --git a/workflow/engine/methods/setup/language_Ajax.php b/workflow/engine/methods/setup/language_Ajax.php index 3bb445ee6..fad0d0b42 100755 --- a/workflow/engine/methods/setup/language_Ajax.php +++ b/workflow/engine/methods/setup/language_Ajax.php @@ -23,11 +23,16 @@ */ try { + G::LoadSystem('inputfilter'); + $filter = new InputFilter(); + $_POST = $filter->xssFilterHard($_POST); + G::LoadInclude( 'ajax' ); if (isset( $_POST['form'] )) { $_POST = $_POST['form']; } $_POST['function'] = get_ajax_value( 'function' ); + $_POST['function'] = $filter->xssFilterHard($_POST['function']); switch ($_POST['function']) { case 'savePredetermined': require_once "classes/model/Translation.php"; @@ -155,16 +160,16 @@ try { if($locale != "en"){ //Default Lengage 'en' if($locale != SYS_LANG){ //Current lenguage //THERE IS NO ANY CASE STARTED FROM THES LANGUAGE - if ($aRow[0] == 0) { //so we can delete this language - try { - Content::removeLanguageContent( $locale ); - $trn->removeTranslationEnvironment( $locale ); - echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' ); - } catch (Exception $e) { - echo $e->getMessage(); - } - } else { - echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) ); + if ($aRow[0] == 0) { //so we can delete this language + try { + Content::removeLanguageContent( $locale ); + $trn->removeTranslationEnvironment( $locale ); + echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' ); + } catch (Exception $e) { + echo $e->getMessage(); + } + } else { + echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) ); } } else { echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE_CURRENTLY' ) ); diff --git a/workflow/engine/methods/setup/webServicesAjax.php b/workflow/engine/methods/setup/webServicesAjax.php index d6cfd557e..97f141218 100755 --- a/workflow/engine/methods/setup/webServicesAjax.php +++ b/workflow/engine/methods/setup/webServicesAjax.php @@ -23,6 +23,10 @@ */ ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET); +//$_SESSION = $filter->xssFilterHard($_SESSION); G::LoadClass( 'ArrayPeer' ); if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) { @@ -38,6 +42,8 @@ if ($_POST['action'] == '') { $_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : ''; } +$_POST = $filter->xssFilterHard($_POST); + switch ($_POST['action']) { case 'showForm': global $G_PUBLISH; @@ -1504,7 +1510,7 @@ try { die(); break; default: - + $_POST = $filter->xssFilterHard($_POST); print_r( $_POST ); } }
'; -$html .= ''; +$html .= ''; $html .= '