HOR-282 Cleaned up more issues with XSS.

2016-03-03 13:23:23 +00:00
parent 3bf9e110db
commit 67812cc2f3
3 changed files with 17 additions and 10 deletions
--- a/workflow/engine/methods/tools/ajaxListener.php
+++ b/workflow/engine/methods/tools/ajaxListener.php
@@ -71,7 +71,7 @@ class Ajax
            }
        } catch (Exception $e) {
            $result->success = false;
-            $result->msg = $e->getMessage();
+            $result->msg = htmlspecialchars($e->getMessage());
        }
        print G::json_encode($result);
    }
@@ -93,7 +93,7 @@ class Ajax
            $result->msg = 'Deleted Successfully!';
        } catch (Exception $e) {
            $result->success = false;
-            $result->msg = $e->getMessage();
+            $result->msg = htmlspecialchars($e->getMessage());
        }
        print G::json_encode($result);
    }
@@ -106,7 +106,7 @@ class Ajax
            $result['success'] = true;
        } catch (Exception $e) {
            $result->success = false;
-            $result->msg = $e->getMessage();
+            $result->msg = htmlspecialchars($e->getMessage());
        }
        print G::json_encode($result);
    }
--- a/workflow/engine/skinEngine/base/error404.php
+++ b/workflow/engine/skinEngine/base/error404.php
@@ -13,17 +13,29 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
    $sysSys = "";
    $sysLang = "";
    $sysSkin = "";
-
+ 
    if (isset($url[1]) && preg_match("/^sys(.+)$/", $url[1], $match)) {
        $sysSys = $match[1];
-    }

+        // Check if sys path exists
+        $checkDir = PATH_DATA."sites/".$sysSys;
+        if(!is_dir($checkDir)) { 
+            $sysSys = '';
+        }
+    }
+    
    if (isset($url[2])) {
        $sysLang = $url[2];
    }

    if (isset($url[3])) {
        $sysSkin = $url[3];
+        
+        // Check if sys path exists
+        $checkDir = PATH_SKIN_ENGINE.$sysSkin;
+        if(!is_dir($checkDir)) { 
+            $sysSkin = '';
+        }
    }

    if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {
--- a/workflow/engine/skinEngine/neoclassic/error404.php
+++ b/workflow/engine/skinEngine/neoclassic/error404.php
@@ -30,10 +30,6 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
    
    if (isset($url[2])) {
        $sysLang = $url[2];
-        
-        if($sysLang != 'en') { 
-            var_dump($sysLang);
-        }
    }

    if (isset($url[3])) {
@@ -44,7 +40,6 @@ if (isset($_GET["url"]) && $_GET["url"] != "") {
        if(!is_dir($checkDir)) { 
            $sysSkin = '';
        }
-
    }

    if ($sysSys != "" && $sysLang != "" && $sysSkin != "") {