Merge branch 'master' of bitbucket.org:colosa/processmaker into PM-1765

gulliver/bin/tasks/pakeGulliver.php

@@ -920,6 +920,8 @@ function run_create_poedit_file($task, $args) {
   G::LoadSystem('xmlform');
   G::LoadSystem('xmlformExtension');
   G::LoadSystem('form');
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
 
   $langIdOut = $langId; //the output language, later we'll include the country too.
   $exceptionFields = array (
@@ -993,21 +995,28 @@ function run_create_poedit_file($task, $args) {
       }
 
       else {
+        $xmlfile = $filter->xssFilterHard($xmlfile);
+        $exceptionFields = $filter->xssFilterHard($exceptionFields);
         if( is_object($node) && ! in_array($node->type, $exceptionFields) ) {
           if( isset($node->value) && strpos($node->value, 'G::LoadTranslation') !== false ) {
             $exceptIndex ++;
             //print ($node->value);
           } else {
+            $node->name = $filter->xssFilterHard($node->name);
+            $node->type = $filter->xssFilterHard($node->type);
             printf("Error: xmlform %s has no english definition for %s [%s]\n", pakeColor::colorize($xmlfile, 'ERROR'), pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($node->type, 'INFO'));
             $xmlError ++;
           }
         } else {
           $exceptIndex ++;
-          if( $verboseFlag )
+          if( $verboseFlag ){
+            $node->name = $filter->xssFilterHard($node->name);
+            $node->type = $filter->xssFilterHard($node->type);
             printf("%s %s in %s\n", $node->type, pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($xmlfile, 'INFO'));
           }
         }
       }
+    }
     unset($form->fields);
     unset($form->tree);
     unset($form);

gulliver/js/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css

@@ -4,7 +4,7 @@
 .clearlooks2, .clearlooks2 div, .clearlooks2 span, .clearlooks2 a {vertical-align:baseline; text-align:left; position:absolute; border:0; padding:0; margin:0; background:transparent; font-family:Arial,Verdana; font-size:11px; color:#000; text-decoration:none; font-weight:normal; width:auto; height:auto; overflow:hidden; display:block}
 
 /* General */
-.clearlooks2 {position:absolute; direction:ltr}
+.clearlooks2 {position:fixed !important; direction:ltr; top:20px !important;height:552px !important;}
 .clearlooks2 .mceWrapper {position:static}
 .mceEventBlocker {position:fixed; left:0; top:0; background:url(img/horizontal.gif) no-repeat 0 -75px; width:100%; height:100%}
 .clearlooks2 .mcePlaceHolder {border:1px solid #000; background:#888; top:0; left:0; opacity:0.5; -ms-filter:'alpha(opacity=50)'; filter:alpha(opacity=50)}

gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/js/source_editor.js

@@ -73,6 +73,6 @@ function resizeInputs() {
 
 	if (el) {
 		el.style.width = (vp.w - 20) + 'px';
-		el.style.height = (vp.h - 65) + 'px';
+		el.style.height = (vp.h - 122) + 'px';
 	}
 }

gulliver/methods/controls/calendar.php

@@ -25,6 +25,9 @@
 	td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;}
 </style>
 <?php
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);
 
 	$ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June",
 		"July", "August", "September", "October", "November", "December");
@@ -109,6 +112,11 @@
   }
   $numWeeks = ( $end_date - $start_date )/3600/24/7 ;
   
+  $dtmin_value = $filter->xssFilterHard($dtmin_value);
+  $dtmax_value = $filter->xssFilterHard($dtmax_value);
+  $dt_currentYear = $filter->xssFilterHard($dt_currentYear);
+  $dt_currentMonth = $filter->xssFilterHard($dt_currentMonth);
+
 //print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value ";
 ?>
 <input type='hidden' name='dtmin_value' id='dtmin_value' value='<?php echo $dtmin_value ?>' >

gulliver/system/class.dbMaintenance.php

@@ -305,8 +305,12 @@ class DataBaseMaintenance
     function backupData ()
     {
         $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
         foreach ($aTables as $table) {
             if ($this->dumpData( $table ) !== false) {
+                $this->outfile = $filter->xssFilterHard($this->outfile);
                 printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" );
             } else {
                 return false;
@@ -343,6 +347,11 @@ class DataBaseMaintenance
     {
 
         $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
+        $this->tmpDir = $filter->xssFilterHard($this->tmpDir);
+        $this->infile = $filter->xssFilterHard($this->infile);
 
         foreach ($aTables as $table) {
             if (isset( $type ) && $type == 'sql') {
@@ -467,6 +476,7 @@ class DataBaseMaintenance
 
         G::LoadSystem('inputfilter');
         $filter = new InputFilter();
+        $table = $filter->xssFilterHard($table);
         $table = $filter->validateInput($table, 'nosql');
         $bytesSaved = 0;
         $query = "SELECT * FROM `%s`";
@@ -492,6 +502,7 @@ class DataBaseMaintenance
             $data .= ");\n";
         }
 
+        $data = $filter->xssFilterHard($data);
         printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
         return $data;
     }

gulliver/system/class.dbconnection.php

@@ -186,6 +186,10 @@ class DBConnection
     {
         global $_SESSION;
         global $_SERVER;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_SERVER = $filter->xssFilterHard($_SERVER);
+        $_SESSION = $filter->xssFilterHard($_SESSION);
         if (is_null( $errorLevel ))
         if (isset( $this->errorLevel )) {
             $errorLevel = $this->errorLevel;
@@ -207,7 +211,7 @@ class DBConnection
             print "</textarea></td></tr></table>";
         }
         //G::setErrorHandler ( );
-        G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
+        //G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
         if ($errorLevel == DB_ERROR_SHOW_AND_STOP || $errorLevel == DB_ERROR_SHOWALL_AND_STOP) {
             die(); //stop
         }

gulliver/system/class.g.php

@@ -1073,6 +1073,12 @@ class G
      */
     public static function streamFile ($file, $download = false, $downloadFileName = '')
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $file = $filter->xssFilterHard($file);
+        if(isset($_SERVER['REQUEST_URI'])) {
+            $_SERVER['REQUEST_URI'] = $filter->xssFilterHard($_SERVER['REQUEST_URI'],"url");
+        }
         require_once (PATH_THIRDPARTY . 'jsmin/jsmin.php');
         $folderarray = explode( '/', $file );
         $typearray = explode( '.', basename( $file ) );
@@ -1081,8 +1087,11 @@ class G
 
         //trick to generate the translation.language.js file , merging two files
         if (strtolower( $typefile ) == 'js' && $typearray[0] == 'translation') {
+            $download = $filter->xssFilterHard($download);
+            $downloadFileName = $filter->xssFilterHard($downloadFileName);
             G::sendHeaders( $filename, 'text/javascript', $download, $downloadFileName );
             $output = G::streamJSTranslationFile( $filename, $typearray[1] );
+            $output = $filter->xssFilterHard($output);
             print $output;
             return;
         }
@@ -1091,6 +1100,7 @@ class G
         if (strtolower( $typefile ) == 'css' && $folderarray[count( $folderarray ) - 2] == 'css') {
             G::sendHeaders( $filename, 'text/css', $download, $downloadFileName );
             $output = G::streamCSSBigFile( $typearray[0] );
+            $output = $filter->xssFilterHard($output);
             print $output;
             return;
         }
@@ -3140,6 +3150,9 @@ class G
      */
     public function pr ($var)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $var = $filter->xssFilterHard($var);
         print ("<pre>") ;
         print_r( $var );
         print ("</pre>") ;

gulliver/system/class.pagedTable.php

@@ -778,6 +778,13 @@ class pagedTable
      */
     public function renderTable ($block = '')
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $this->orderBy  = $filter->xssFilterHard($this->orderBy);
+        $this->currentPage  = $filter->xssFilterHard($this->currentPage);
+        $this->id  = $filter->xssFilterHard($this->id);
+        $this->name  = $filter->xssFilterHard($this->name);
+        $this->ownerPage  = $filter->xssFilterHard($this->ownerPage);
         // DBConnection
         $this->prepareQuery();
         //Query for get the number of rows
@@ -797,6 +804,9 @@ class pagedTable
             $this->tpl->assign( 'pagedTable_Id', $this->id );
             $this->tpl->assign( 'pagedTable_Name', $this->name );
             $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
+            $this->xmlForm->home  = $filter->xssFilterHard($this->xmlForm->home);
+            $this->filterForm  = $filter->xssFilterHard($this->filterForm);
+            $this->menu  = $filter->xssFilterHard($this->menu);
             if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                 $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                 if ($this->menu === '') {
@@ -893,10 +903,14 @@ class pagedTable
             $this->tpl->assign( 'rowId', 'insertAtLast' );
             if ($this->currentPage > 1) {
                 $firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1';
+                $firstUrl  = $filter->xssFilterHard($firstUrl);
                 $firstAjax = $this->id . ".doGoToPage(1);return false;";
+                $firstAjax  = $filter->xssFilterHard($firstAjax);
                 $prevpage = $this->currentPage - 1;
                 $prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage;
+                $prevUrl  = $filter->xssFilterHard($prevUrl);
                 $prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;";
+                $prevAjax  = $filter->xssFilterHard($prevAjax);
                 $first = "<a href=\"" . htmlentities( $firstUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $firstAjax . "\" class='firstPage'>&nbsp;</a>";
                 $prev = "<a href=\"" . htmlentities( $prevUrl, ENT_QUOTES, 'utf-8' ) . "\"  onclick=\"" . $prevAjax . "\" class='previousPage'>&nbsp;</a>";
             } else {
@@ -905,10 +919,14 @@ class pagedTable
             }
             if ($this->currentPage < $this->totpages) {
                 $lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages;
+                $lastUrl  = $filter->xssFilterHard($lastUrl);
                 $lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;";
+                $lastAjax  = $filter->xssFilterHard($lastAjax);
                 $nextpage = $this->currentPage + 1;
                 $nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage;
+                $nextUrl  = $filter->xssFilterHard($nextUrl);
                 $nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;";
+                $nextAjax  = $filter->xssFilterHard($nextAjax);
                 $next = "<a href=\"" . htmlentities( $nextUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $nextAjax . "\" class='nextPage'>&nbsp;</a>";
                 $last = "<a href=\"" . htmlentities( $lastUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $lastAjax . "\" class='lastPage'>&nbsp;</a>";
             } else {
@@ -920,6 +938,7 @@ class pagedTable
                 if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) {
                     $pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;";
                     if ($r != $this->currentPage) {                        
+                        $pageAjax  = $filter->xssFilterHard($pageAjax);
                         $pagesEnum .= "&nbsp;<a href=\"" . htmlentities( $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . "</a>";
                     } else {
                         $pagesEnum .= "&nbsp;<a>" . $r . "</a>";

rbac/engine/templates/testAuthenticationSource.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  * 
  */
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
+
   global $G_TABLE;
   global $G_CONTENT;
   global $HTTP_SESSION_VARS;
@@ -88,6 +92,7 @@
 
         $oResult = $oLdap->search($rootDn, $sFilter, $aParams);
         if (PEAR::isError($oResult)) {
+            $oLdap->message = $filter->xssFilterHard($oLdap->message);
             print ( $oLdap->message);
             return $oResult;
         }

workflow/engine/bin/tasks/cliMafe.php

@@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation');
 
 function run_create_translation($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     $rootDir = realpath(__DIR__."/../../../../");
     $app = new Maveriks\WebApplication();
     $app->setRootDir($rootDir);
@@ -53,7 +57,6 @@ function run_create_translation($args, $opts)
     foreach ($workspaces as $workspace) {
         try {
             echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
-            $app->loadEnvironment($workspace->name, $loadConstants);
             $translation->generateTransaltionMafe($lang);
         } catch (Exception $e) {
             echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";

workflow/engine/bin/tasks/cliWorkspaces.php

@@ -228,6 +228,10 @@ function run_info($args, $opts) {
 }
 
 function run_workspace_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
 }
 
 function run_translation_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $first = true;
   foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
 }
 
 function run_cacheview_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
   foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
 }
 
 function database_upgrade($command, $args) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $command = $filter->xssFilterHard($command);
+  $args = $filter->xssFilterHard($args);
   $workspaces = get_workspaces_from_args($args);
   $checkOnly = (strcmp($command, "check") == 0);
   foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
 
 function run_database_generate_self_service_by_value($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
     try {
         $arrayWorkspace = get_workspaces_from_args($args);
 

workflow/engine/classes/class.processMap.php

@@ -2356,7 +2356,11 @@ class processMap
               $G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER')));
               G::RenderPage('publish');
               //return true; */
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
             $schedulerPath = SYS_URI . "cases/cases_Scheduler_List";
+            $schedulerPath = $filter->xssFilterHard($schedulerPath);
+            $sProcessUID = $filter->xssFilterHard($sProcessUID);
             $html = "<iframe  WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>";
             echo $html;
         } catch (Exception $oError) {

workflow/engine/classes/class.propelTable.php

@@ -560,6 +560,12 @@ class propelTable
      */
     public function renderTable ($block = '', $fields = '')
     { 
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $fields = $filter->xssFilterHard($fields);
+        $this->orderBy = $filter->xssFilterHard($this->orderBy);
+        $this->currentPage = $filter->xssFilterHard($this->currentPage);
+        
         //Render Title
         $thereisnotitle = true;
         foreach ($this->fields as $r => $rval) {
@@ -603,6 +609,11 @@ class propelTable
             $this->tpl->assign( 'pagedTable_Name', $this->name );
             $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
             $this->tpl->assign( "title", $this->title );
+            
+            $this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
+            $this->filterForm = $filter->xssFilterHard($this->filterForm);
+            $this->menu = $filter->xssFilterHard($this->menu);
+            
             if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                 $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                 if ($this->menu === '') {
@@ -839,6 +850,12 @@ class propelTable
                 }
                 $this->tpl->assign( "pagesEnum", $pagesEnum );
             }
+            
+            $this->name = $filter->xssFilterHard($this->name);
+            $this->orderBy = $filter->xssFilterHard($this->orderBy);
+            $this->currentPage = $filter->xssFilterHard($this->currentPage);
+            $this->id = $filter->xssFilterHard($this->id);
+            
             ?>
 
             <script language='JavaScript'>

workflow/engine/classes/class.webdav.php

@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
      */
     public function GET(&$options)
     {
-        $paths = $this->paths;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $options = $filter->xssFilterHard($options);
+        $paths = $filter->xssFilterHard($this->paths);
 
         $pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
         if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
             $fsFile = $pathClasses . $paths[1];
+            $fsFile = $filter->xssFilterHard($fsFile);
             if (count($paths) == 2 && file_exists($fsFile)) {
                 $content = file_get_contents($fsFile);
+                $content = $filter->xssFilterHard($content);
                 print $content;
                 header("Content-Type: " . mime_content_type($fsFile));
                 header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'xmlforms') {
                 $pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathXmlform . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
                 $pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathTemplates . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
             if (count($paths) == 4 && $paths[2] == 'public_html') {
                 $pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
                 $fsFile = $pathPublic . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                 if (count($paths) == 4 && file_exists($fsFile)) {
                     $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                     print $content;
                     header("Content-Type: " . mime_content_type($fsFile));
                     header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -967,11 +978,15 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
      */
     public function checkLock($path)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = $filter->validateInput($path, 'nosql');
         $result = false;
 
         $query = "SELECT owner, token, expires, exclusivelock
               FROM locks
-            WHERE path = '$path' ";
+            WHERE path = '%s' ";
+        $query = $filter->preventSqlInjection($query, array($path));
         $res = mysql_query($query);
 
         if ($res) {

workflow/engine/classes/class.wsTools.php

@@ -1842,12 +1842,14 @@ class workspaceTools
             throw $e;
         }
     }
+
     /**
      * Migrate all cases to New list
      *
      * return all LIST TABLES with data
      */
-    public function migrateList ($workSpace){
+    public function migrateList ($workSpace)
+    {
         $this->initPropel(true);
         $appCache = new AppCacheView();
         G::LoadClass("case");
@@ -1887,25 +1889,31 @@ class workspaceTools
         
         //Select data TO_DO OR DRAFT
         $inbCriteria = $appCache->getSelAllColumns();
-        $inbCriteria->add(AppCacheViewPeer::APP_STATUS, "CANCELLED", CRITERIA::NOT_EQUAL);
         $rsCriteria = AppCacheViewPeer::doSelectRS($inbCriteria);
         $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+
         //Insert new data LIST_INBOX
         while ($rsCriteria->next()) {
             $row = $rsCriteria->getRow();
+            $isSelfService = ($row['USR_UID'] == '') ? true : false;
             if($row["DEL_THREAD_STATUS"] == 'OPEN'){
+                $row["DEL_PREVIOUS_USR_UID"] = $row["PREVIOUS_USR_UID"];
                 $listInbox = new ListInbox();
                 $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]);
                 $listInbox->setDeleted(false);
-                  $listInbox->create($row);
+                $listInbox->create($row, $isSelfService);
             } else {
                 // create participated List when the thread is CLOSED
                 $listParticipatedHistory = new ListParticipatedHistory();
-                 $listParticipatedHistory->remove($row['APP_UID'],$row['DEL_INDEX']);
+                $listParticipatedHistory->remove($row['APP_UID'], $row['DEL_INDEX']);
                 $listParticipatedHistory = new ListParticipatedHistory();
                 $listParticipatedHistory->create($row);
-                 $listParticipatedLast = new ListParticipatedLast();
+
-                 $listParticipatedLast->remove($row['APP_UID'], $row['USR_UID']);
+                $oCriteria = new Criteria('workflow');
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $row['APP_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $row['USR_UID']);
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
                 $listParticipatedLast = new ListParticipatedLast();
                 $listParticipatedLast->create($row);
                 $listParticipatedLast = new ListParticipatedLast();
@@ -1913,6 +1921,7 @@ class workspaceTools
             }
               
         }
+
         CLI::logging("> Completed table LIST_INBOX\n");
         //With this List is populated the LIST_PARTICIPATED_HISTORY and LIST_PARTICIPATED_LAST
         CLI::logging("> Completed table LIST_PARTICIPATED_HISTORY\n");
@@ -1939,7 +1948,13 @@ class workspaceTools
         $delaycriteria->addSelectColumn(AppDelayPeer::PRO_UID);
         $delaycriteria->addSelectColumn(AppDelayPeer::APP_DEL_INDEX);
         $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_NUMBER);
-        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID, Criteria::INNER_JOIN );
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::USR_UID);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_STATUS);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::TAS_UID);
+
+        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID . ' AND ' . AppCacheViewPeer::DEL_INDEX . ' = ' . AppDelayPeer::APP_DEL_INDEX, Criteria::INNER_JOIN );
+        $delaycriteria->add(AppDelayPeer::APP_DISABLE_ACTION_USER, "0", CRITERIA::EQUAL);
+        $delaycriteria->add(AppDelayPeer::APP_TYPE, "PAUSE", CRITERIA::EQUAL);
         $rsCriteria = AppDelayPeer::doSelectRS($delaycriteria);
         $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
         //Insert new data LIST_PAUSED
@@ -1948,7 +1963,6 @@ class workspaceTools
               $data = $row;
               $data["DEL_INDEX"] = $row["APP_DEL_INDEX"];
               $listPaused = new ListPaused();
-              $listPaused->remove($data["APP_UID"],$data["DEL_INDEX"]);
               $listPaused->setDeleted(false);
               $listPaused->create($data);
         }
@@ -2006,6 +2020,7 @@ class workspaceTools
         $this->listFirstExecution('insert');
         return true;
     }
+
     /**
      * This function checks if List tables are going to migrated 
      *

workflow/engine/classes/model/AdditionalTables.php

@@ -447,10 +447,10 @@ class AdditionalTables extends BaseAdditionalTables
         }
         G::LoadSystem('inputfilter');
         $filter = new InputFilter();        
-        $sort = $filter->validateInput($_POST['sort']);
         $sClassPeerName = $filter->validateInput($sClassPeerName);
 
         if (isset($_POST['sort'])) {
+            $_POST['sort'] = $filter->validateInput($_POST['sort']);
             if ($_POST['dir'] == 'ASC') {
                 if ($keyOrderUppercase) {
                     eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");');

workflow/engine/classes/model/ListInbox.php

@@ -49,8 +49,11 @@ class ListInbox extends BaseListInbox
 
             // remove and create participated last
             if (!$isSelfService) {
-                $listParticipatedLast = new ListParticipatedLast();
+                $oCriteria = new Criteria('workflow');
-                $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $data['APP_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $data['USR_UID']);
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
                 $listParticipatedLast = new ListParticipatedLast();
                 $listParticipatedLast->create($data);
                 $listParticipatedLast = new ListParticipatedLast();
@@ -367,6 +370,11 @@ class ListInbox extends BaseListInbox
     {
         $criteria = new Criteria();
         $criteria->add( ListInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL );
+        if ($filters['action'] == 'draft') {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'DRAFT', Criteria::EQUAL );
+        } else {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'TO_DO', Criteria::EQUAL );
+        }
         self::loadFilters($criteria, $filters);
         $total = ListInboxPeer::doCount( $criteria );
         return (int)$total;

workflow/engine/classes/model/ListMyInbox.php

@@ -123,6 +123,7 @@ class ListMyInbox extends BaseListMyInbox
 
         if ($data['DEL_INDEX'] == 1 && $data['APP_STATUS'] == 'TO_DO') {
             $data['APP_CREATE_DATE'] = $data['APP_UPDATE_DATE'];
+            $this->remove($data['APP_UID'], $data['USR_UID']);
             $this->create($data);
         } else {
             unset($data['USR_UID']);

workflow/engine/classes/model/ListParticipatedLast.php

@@ -143,9 +143,9 @@ class ListParticipatedLast extends BaseListParticipatedLast
      * @throws type
      *
      */
-    public function remove ($app_uid, $usr_uid)
+    public function remove ($app_uid, $usr_uid, $del_index)
     {
-        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid);
+        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid, $del_index);
         if (! is_null( $existField )) {
             $users = new Users();
             $users->refreshTotal($usr_uid, 'removed', 'participated');

workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php

@@ -69,7 +69,7 @@ class ListParticipatedLastMapBuilder
 
         $tMap->addPrimaryKey('USR_UID', 'UsrUid', 'string', CreoleTypes::VARCHAR, true, 32);
 
-        $tMap->addColumn('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);
+        $tMap->addPrimaryKey('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);
 
         $tMap->addColumn('TAS_UID', 'TasUid', 'string', CreoleTypes::VARCHAR, true, 32);
 

workflow/engine/classes/model/om/BaseListParticipatedLast.php

@@ -1686,6 +1686,7 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $criteria->add(ListParticipatedLastPeer::APP_UID, $this->app_uid);
         $criteria->add(ListParticipatedLastPeer::USR_UID, $this->usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $this->del_index);
 
         return $criteria;
     }
@@ -1703,6 +1704,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $pks[1] = $this->getUsrUid();
 
+        $pks[2] = $this->getDelIndex();
+
         return $pks;
     }
 
@@ -1719,6 +1722,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $this->setUsrUid($keys[1]);
 
+        $this->setDelIndex($keys[2]);
+
     }
 
     /**
@@ -1734,8 +1739,6 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
     public function copyInto($copyObj, $deepCopy = false)
     {
 
-        $copyObj->setDelIndex($this->del_index);
-
         $copyObj->setTasUid($this->tas_uid);
 
         $copyObj->setProUid($this->pro_uid);
@@ -1781,6 +1784,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
 
         $copyObj->setUsrUid(''); // this is a pkey column, so set to default value
 
+        $copyObj->setDelIndex('0'); // this is a pkey column, so set to default value
+
     }
 
     /**

workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php

@@ -487,6 +487,9 @@ abstract class BaseListParticipatedLastPeer
             $comparison = $criteria->getComparison(ListParticipatedLastPeer::USR_UID);
             $selectCriteria->add(ListParticipatedLastPeer::USR_UID, $criteria->remove(ListParticipatedLastPeer::USR_UID), $comparison);
 
+            $comparison = $criteria->getComparison(ListParticipatedLastPeer::DEL_INDEX);
+            $selectCriteria->add(ListParticipatedLastPeer::DEL_INDEX, $criteria->remove(ListParticipatedLastPeer::DEL_INDEX), $comparison);
+
         } else {
             $criteria = $values->buildCriteria(); // gets full criteria
             $selectCriteria = $values->buildPkeyCriteria(); // gets criteria w/ primary key(s)
@@ -560,10 +563,12 @@ abstract class BaseListParticipatedLastPeer
 
                 $vals[0][] = $value[0];
                 $vals[1][] = $value[1];
+                $vals[2][] = $value[2];
             }
 
             $criteria->add(ListParticipatedLastPeer::APP_UID, $vals[0], Criteria::IN);
             $criteria->add(ListParticipatedLastPeer::USR_UID, $vals[1], Criteria::IN);
+            $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $vals[2], Criteria::IN);
         }
 
         // Set the correct dbName
@@ -626,10 +631,11 @@ abstract class BaseListParticipatedLastPeer
      * Retrieve object using using composite pkey values.
      * @param string $app_uid
        * @param string $usr_uid
+       * @param int $del_index
         * @param      Connection $con
      * @return     ListParticipatedLast
      */
-    public static function retrieveByPK($app_uid, $usr_uid, $con = null)
+    public static function retrieveByPK($app_uid, $usr_uid, $del_index, $con = null)
     {
         if ($con === null) {
             $con = Propel::getConnection(self::DATABASE_NAME);
@@ -637,6 +643,7 @@ abstract class BaseListParticipatedLastPeer
         $criteria = new Criteria();
         $criteria->add(ListParticipatedLastPeer::APP_UID, $app_uid);
         $criteria->add(ListParticipatedLastPeer::USR_UID, $usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $del_index);
         $v = ListParticipatedLastPeer::doSelect($criteria, $con);
 
         return !empty($v) ? $v[0] : null;

workflow/engine/classes/triggers/api/class.zimbraApi.php

@@ -803,6 +803,9 @@ class Zimbra
     protected function message($message)
     {
         if ($this->debug) {
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $message = $filter->xssFilterHard($message);
             echo $message;
         }
     }
@@ -823,6 +826,9 @@ class Zimbra
      */
     protected function soapRequest($body, $header = false, $connecting = false)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        
         if (!$connecting && !$this->_connected) {
             throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
         }
@@ -842,7 +848,9 @@ class Zimbra
 
         curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
 
-        if (!($response = curl_exec($this->_curl))) {
+        $this->_curl = $filter->xssFilterHard($this->_curl,"url");
+        $response = curl_exec($this->_curl);
+        if (!$response) {
             $this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
             return false;
         } elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {

workflow/engine/config/schema.xml

@@ -4017,7 +4017,7 @@
         </vendor>
         <column name="APP_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
         <column name="USR_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
-        <column name="DEL_INDEX" type="INTEGER" required="true" default="0"/>
+        <column name="DEL_INDEX" type="INTEGER" required="true" primaryKey="true" default=""/>
         <column name="TAS_UID" type="VARCHAR" size="32" required="true" default=""/>
         <column name="PRO_UID" type="VARCHAR" size="32" required="true" default=""/>
         <column name="APP_NUMBER" type="INTEGER" required="true" default="0"/>

workflow/engine/controllers/adminProxy.php

@@ -1009,6 +1009,12 @@ class adminProxy extends HttpProxyController
     public function uploadImage()
     {
         //!dataSystem
+        
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_SERVER["REQUEST_URI"] = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
+        $_FILES = $filter->xssFilterHard($_FILES);
+        
         $ainfoSite = explode("/", $_SERVER["REQUEST_URI"]);
         $dir       = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos";
         global $_FILES;
@@ -1036,7 +1042,9 @@ class adminProxy extends HttpProxyController
         $uploaded = 0;
         $failed   = 0;
         
-        if (in_array($_FILES['img']['type'], $allowedType)) {
+        $files_img_type = $filter->xssFilterHard($_FILES['img']['type']);
+
+        if (in_array($files_img_type, $allowedType)) {
              // max upload file is 500 KB
             if ($_FILES['img']['size'] <= 500000) {
                 $formf     = $_FILES['img'];
@@ -1055,7 +1063,7 @@ class adminProxy extends HttpProxyController
                         $arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName);
                         $typeMime  = $arrayInfo[2];
                     }
-                    if ($typeMime == $allowedTypeArray['index' . base64_encode($_FILES['img']['type'])]) {
+                    if ($typeMime == $allowedTypeArray['index' . base64_encode($files_img_type)]) {
                         $error = false;
                         try {
                             list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName);
@@ -1075,10 +1083,10 @@ class adminProxy extends HttpProxyController
             } else {
                 $failed = "2";
             }
-        } elseif ($_FILES['img']['type'] != '') {
+        } elseif ($files_img_type != '') {
             $failed = "1";
         }
-        echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $_FILES['img']['type'] . '"}';
+        echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
         exit();
     }
 

workflow/engine/controllers/installer.php

@@ -433,6 +433,9 @@ class Installer extends Controller
      */
     public function mysqlQuery ($sql)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $sql = $filter->preventSqlInjection($sql, Array());
         $this->installLog( $sql );
         $query = @mysql_query( $sql, $this->link );
         if (! $query) {
@@ -450,6 +453,9 @@ class Installer extends Controller
      */
     public function mssqlQuery ($sql)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $sql = $filter->preventSqlInjection($sql, Array());
         $this->installLog( $sql );
         $query = @mssql_query( $sql, $this->link );
         if (! $query) {
@@ -587,9 +593,13 @@ class Installer extends Controller
      */
     public function setGrantPrivilegesMySQL ($psUser, $psPassword, $psDatabase, $host)
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $host = ($host == 'localhost' || $host == '127.0.0.1' ? 'localhost' : '%');
 
-        $sql = sprintf( "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION", $psDatabase, $psUser, $host, $psPassword );
+        $query = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION";
+        $sql = sprintf( $query, $psDatabase, $psUser, $host, $psPassword );
+        $sql = $filter->preventSqlInjection($query, array($psDatabase, $psUser, $host, $psPassword ));
         $query = @mysql_query( $sql, $this->link );
 
         if (! $query) {
@@ -1200,25 +1210,39 @@ class Installer extends Controller
 
     public function checkDatabases ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $this->setResponseType( 'json' );
         $info = new stdclass();
 
         if ($_REQUEST['db_engine'] == 'mysql') {
             $link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mysql_query( "show databases like '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "show databases like '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mysql_query( $query, $link );
             $info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0);
         } else if ($_REQUEST['db_engine'] == 'mssql') {
             $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mssql_query( $query , $link );
             $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
         } else if ($_REQUEST['db_engine'] == 'sqlsrv') {
             $arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']);
             $link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments);
-            $dataset = @sqlsrv_query( $link, "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'");
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @sqlsrv_query( $link, $query );
             $info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0);
         } else {
             $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mssql_query( $query , $link );
             $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
         }
 
@@ -1233,6 +1257,8 @@ class Installer extends Controller
 
     private function testMySQLconnection ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $info = new StdClass();
         $info->result = false;
         $info->message = '';
@@ -1256,7 +1282,11 @@ class Installer extends Controller
             $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG');
             return $info;
         }
-        $res = @mysql_query( "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'$db_username'@'$db_hostname'\" OR GRANTEE = \"'$db_username'@'%'\") ", $link );
+        $db_username = $filter->validateInput($db_username, 'nosql');
+        $db_hostname = $filter->validateInput($db_hostname, 'nosql');
+        $query = "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'%s'@'%s'\" OR GRANTEE = \"'%s'@'%'\") ";
+        $query = $filter->preventSqlInjection($query, array($db_username, $db_hostname, $db_username));
+        $res = @mysql_query( $query, $link );
         $row = @mysql_fetch_array( $res );
         $hasSuper = is_array( $row );
         @mysql_free_result( $res );

workflow/engine/data/mysql/schema.sql

@@ -2285,7 +2285,7 @@ CREATE TABLE `LIST_PARTICIPATED_LAST`
 	`DEL_DUE_DATE` DATETIME,
 	`DEL_PRIORITY` VARCHAR(32) default '3' NOT NULL,
 	`DEL_THREAD_STATUS` VARCHAR(32) default 'OPEN' NOT NULL,
-	PRIMARY KEY (`APP_UID`,`USR_UID`)
+	PRIMARY KEY (`APP_UID`,`USR_UID`,`DEL_INDEX`)
 )ENGINE=InnoDB  DEFAULT CHARSET='utf8' COMMENT='Participated last list';
 #-----------------------------------------------------------------------------
 #-- LIST_COMPLETED

workflow/engine/methods/appFolder/appFolderAjax.php

@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 if (! isset ($_SESSION ['USER_LOGGED'])) {
     $res ['success'] = false;
     $res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');

workflow/engine/methods/cases/ajaxListener.php

@@ -33,6 +33,12 @@
 //require_once 'classes/model/AppDelay.php';
 //require_once 'classes/model/Process.php';
 //require_once 'classes/model/Task.php';
+
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_POST = $filter->xssFilterHard($_POST);
+
 if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
     if (!isset($_SESSION['USER_LOGGED'])) {
         $response = new stdclass();

workflow/engine/methods/cases/caseMessageHistory_Ajax.php

@@ -21,6 +21,10 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 
 $arrayToTranslation = array(
     "TRIGGER"    => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
 
 if ($actionAjax == 'messageHistoryGridList_JXP') {
 
-    if (!isset($_REQUEST['start'])) {
+    if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
         $_REQUEST['start'] = 0;
     }
 
-    if (!isset($_REQUEST['limit'])) {
+    if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
         $_REQUEST['limit'] = 20;
     }
 

workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php

@@ -22,6 +22,13 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
  
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION); 
+
 $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
 
 if ($actionAjax == "historyDynaformPage") {

workflow/engine/methods/cases/casesListExtJs.php

@@ -213,7 +213,6 @@ $menuPerms = $menuPerms . ($RBAC->userCanAccess( 'PM_REASSIGNCASE' ) == 1) ? 'R'
 $oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions
 G::LoadClass( 'configuration' );
 $c = new Configurations();
-
 //$oHeadPublisher->addExtJsScript('cases/caseUtils', true);
 $oHeadPublisher->addExtJsScript( 'app/main', true );
 $oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js

workflow/engine/methods/cases/casesList_Ajax.php

@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
 require_once ("classes/model/AppDelay.php");*/
 G::LoadClass( 'case' );
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION); 
+
 $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
 
 function filterUserListArray($users = array(), $filter = '')

workflow/engine/methods/cases/casesStartPage_Ajax.php

@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (!isset($_SESSION['USER_LOGGED'])) {
     $res = new stdclass();
     $res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
 function startCase ()
 {
     G::LoadClass( 'case' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    $_SESSION = $filter->xssFilterHard($_SESSION);
 
     /* GET , POST & $_SESSION Vars */
     /* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
         lookinginforContentProcess( $_POST['processId'] );
 
         $aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
+        $aData = $filter->xssFilterHard($aData);
 
         $_SESSION['APPLICATION'] = $aData['APPLICATION'];
         $_SESSION['INDEX'] = $aData['INDEX'];

workflow/engine/methods/cases/cases_Ajax.php

@@ -1,4 +1,11 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (!isset($_SESSION['USER_LOGGED'])) {
     $response = new stdclass();
     $response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
         G::RenderPage( 'publish', 'raw' );
         break;
     case 'showUsers':
+        $_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
         switch ($_POST['TAS_ASSIGN_TYPE']) {
             // switch verify $_POST['TAS_ASSIGN_TYPE']
             case 'BALANCED':
+                $_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
                 G::LoadClass( 'user' );
                 $oUser = new User( new DBConnection() );
                 $oUser->load( $_POST['USR_UID'] );
+                $oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
+                $oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
                 echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
                 break;
             case 'MANUAL':
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
                 echo $sAux;
                 break;
             case 'EVALUATE':
+                $_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
+                $_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
                 G::LoadClass( 'application' );
                 $oApplication = new Application( new DBConnection() );
                 $oApplication->load( $_SESSION['APPLICATION'] );
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
                     $oUser->load( $sUser );
                     echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
                 } else {
-                    echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' );
+                    $ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
+                    echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
                     echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
                 }
                 break;
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
         $cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
         break;
     case 'toRevisePanel':
+        $_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
+        $_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
+
         $_GET['APP_UID'] = $_POST['APP_UID'];
         $_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
         $G_PUBLISH = new Publisher();

workflow/engine/methods/cases/cases_StepToRevise.php

@@ -23,6 +23,9 @@
  */
 //  die("first");
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
     case - 2:
         G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
         die();
         break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 if ((int) $_SESSION['INDEX'] < 1) {
+    $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
     G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
     G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
     die();

workflow/engine/methods/cases/cases_StepToReviseInputs.php

@@ -23,6 +23,9 @@
  */
 //die("second");
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
     case - 2:
         G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
         die();
         break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 if ((int) $_SESSION['INDEX'] < 1) {
+    $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
     G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
     G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
     die();

workflow/engine/methods/cases/cases_StepToReviseOutputs.php

@@ -23,6 +23,9 @@
  */
 
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
     case - 2:
         G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
         die();
         break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 /* Includes */
 G::LoadClass( 'case' );
 

workflow/engine/methods/cases/cases_ToReviseOutputDocView.php

@@ -23,6 +23,9 @@
  */
 
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
     case - 2:
         G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
         die();
         break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 /* Includes */
 G::LoadClass( 'case' );
 

workflow/engine/methods/cases/cases_generatePMTable.php

@@ -4,6 +4,9 @@
  * and open the template in the editor.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 require_once ("classes/model/AdditionalTables.php");
 require_once ("classes/model/Fields.php");
 // passing the parameters

workflow/engine/methods/cases/proxyPMTablesFieldList.php

@@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid)
     $oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
     $oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
     $oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
+    $oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
     $oCriteria->addDescendingOrderByColumn('FLD_INDEX');
     $oDataset = FieldsPeer::doSelectRS($oCriteria);
     $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);

workflow/engine/methods/controls/varsAjax.php

@@ -22,11 +22,19 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  *
  */
+ 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+ 
 $_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:'';
 $_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:'';
 $_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:'';
 $_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:'';
 
+$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]);
+
 $html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">';
 $html .= '<div id="d_variables">';
 $html .= '<table width="90%" align="center">';
@@ -40,24 +48,24 @@ $html .= '</tr>';
 
 $html .= '<tr>';
 $html .= '<td width="50%">';
-$html .= '<label for="type_label">'.G::LoadTranslation('ID_TINY_TYPE_VARIABLE').'</label>';
+$html .= '<label for="type_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_TINY_TYPE_VARIABLE')).'</label>';
 $html .= '</td>';
 
 $html .= '<td width="25%">';
-$html .= '<label for="prefix_label">'.G::LoadTranslation('ID_PREFIX').'</label>';
+$html .= '<label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_PREFIX')).'</label>';
 $html .= '</td>';
 
 $html .= '<td width="25%">';
-$html .= '<label for="variables_label">'.G::LoadTranslation( 'ID_SEARCH').'</label>';
+$html .= '<label for="variables_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_SEARCH')).'</label>';
 $html .= '</td>';
 $html .= '</tr>';
 
 $html .= '<tr>';
 $html .= '<td width="25%">';
 $html .= '<select name="type_variables" id="type_variables">';
-$html .= '<option value="all">'.G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' ).'</option>';
+$html .= '<option value="all">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' )).'</option>';
-$html .= '<option value="system">'.G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' ).'</option>';
+$html .= '<option value="system">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' )).'</option>';
-$html .= '<option value="process">'.G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' ).'</option>';
+$html .= '<option value="process">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' )).'</option>';
 $html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;';
 $html .= '</td>';
 
@@ -79,7 +87,7 @@ $html .= '<input type="text" id="search" size="15">';
 $html .= '</td>';
 $html .= '</tr>';
 $html .= '<tr>';
-$html .= '<tr><td><label for="prefix_label">'.G::LoadTranslation( 'ID_VARIABLES' ).'</label></td></tr>';
+$html .= '<tr><td><label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_VARIABLES' )).'</label></td></tr>';
 $html .= '<tr>';
 
 $html .= '<td colspan="3">';
@@ -114,19 +122,19 @@ $html .= '</div>';
 $html .= '<br>';
 $html .= '<table border="1" width="90%" align="center">';
 $html .= '<tr width="40%">';
-$html .= '<td>'.G::LoadTranslation('ID_RESULT').'</td>';
+$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'</td>';
 $html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>';
 $html .= '</tr>';
 $html .= '<tr width="60%">';
-$html .= '<td>'.G::LoadTranslation('ID_DESCRIPTION').'</td>';
+$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).'</td>';
-$html .= '<td><span id="desc_variables">'.G::LoadTranslation('ID_SYSTEM').'</span></td>';
+$html .= '<td><span id="desc_variables">'.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'</span></td>';
 $html .= '</tr>';
 $html .= '</table>';
 $html .= '</div>';
 $html .= '<br>';
 $html .= '<table width="90%" align="center">';
 $html .= '<tr><td>';
-$html .= '<label for="desc_prefix">*<span id="desc_prefix">' . G::LoadTranslation( 'ID_TO_STRING' ) . '</span></label>';
+$html .= '<label for="desc_prefix">*<span id="desc_prefix">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TO_STRING' )).'</span></label>';
 $html .= '</td></tr>';
 $html .= '</div>';
 

workflow/engine/methods/dbConnections/dbConnectionsAjax.php

@@ -30,6 +30,11 @@
  * @Param  var action from POST request
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
     $action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
 } else {

workflow/engine/methods/departments/departments_Ajax.php

@@ -23,6 +23,11 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 function LookForChildren ($parent, $level, $aDepUsers)
 {
     G::LoadClass( 'configuration' );

workflow/engine/methods/dynaforms/dynaforms_Editor.php

@@ -21,6 +21,12 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+ 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
+ 
 if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) {
     return $RBAC_Response;
 }
@@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes';
 $G_ID_MENU_SELECTED = 'PROCESSES';
 $G_ID_SUB_MENU_SELECTED = 'FIELDS';
 
+$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']);
+$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']);
+
 $PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0';
 $DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0';
 $_SESSION['PROCESS'] = $_GET['PRO_UID'];
@@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) {
     $process->load( $PRO_UID );
 } else {
     //TODO
+    $PRO_UID = $filter->xssFilterHard($PRO_UID);
     print ("$PRO_UID doesn't exist, continue? yes") ;
 }
 

workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php

@@ -28,6 +28,10 @@
  * also the functionality of dependent fields in grids doesn't depends in this
  * file so this is somewhat expendable.
  */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+
 function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
 {
     $myDependentFields = '';

workflow/engine/methods/dynaforms/fieldsHandlerAjax.php

@@ -25,6 +25,9 @@
   * @Date Aug 26th, 2009
   */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 $request = $_POST['request'];
 
 switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
         if (isset( $_POST['items'] )) {
             $items = $_POST['items'];
             $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+            $tmpfilename = $filter->xssFilterHard($tmpfilename);
             G::LoadSystem( 'dynaformhandler' );
 
             $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
         break;
     case 'saveHidden':
         $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename);
         G::LoadSystem( 'dynaformhandler' );
         $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
         $hidden_items = Array ();

workflow/engine/methods/dynaforms/test.php

@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
 	</select> <input type="submit" value="Send" />
 </form>
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 $test = $_POST['form']['test'];
 if ($test) {
+    $test = $filter->xssFilterHard($test);
     foreach ($test as $t) {
         echo 'You selected ', $t, '<br />';
     }

workflow/engine/methods/outputdocs/outputdocs_Ajax.php

@@ -1,4 +1,7 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 
 $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :'';
 
@@ -9,6 +12,7 @@ if ($action == '') {
 
 switch ($action) {
     case 'setTemplateFile':
+        $_FILES = $filter->xssFilterHard($_FILES);
         //print_r($_FILES);
         $_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name'];
         //    file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name']));
@@ -21,6 +25,7 @@ switch ($action) {
         break;
 
     case 'getTemplateFile':
+        $_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']);
         $aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp"
         );
         $sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] );
@@ -28,11 +33,15 @@ switch ($action) {
         $searchPos = strpos( $strRev, '.' );
         $pos = (strlen( $sFileName ) - 1) - $searchPos;
         $sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) );
-        if (! in_array( $sExtension, $aExtensions ))
+        if (! in_array( $sExtension, $aExtensions )) {
-            echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
+            $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
+            $content = $filter->xssFilterHard($content);
+            echo $content;
+        }
         break;
 
     case 'loadTemplateContent':
+        $_POST = $filter->xssFilterHard($_POST);
         require_once 'classes/model/OutputDocument.php';
         $ooutputDocument = new OutputDocument();
         if (isset( $_POST['OUT_DOC_UID'] )) {
@@ -43,6 +52,7 @@ switch ($action) {
         break;
 
     case 'lookForNameOutput':
+        $_POST = $filter->xssFilterHard($_POST);
         require_once ('classes/model/Content.php');
         require_once ("classes/model/OutputDocument.php");
 

workflow/engine/methods/processes/processes_Ajax.php

@@ -39,6 +39,13 @@ try {
       } */
     //$oJSON = new Services_JSON();
     
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    //$_SESSION = $filter->xssFilterHard($_SESSION); 
+
     if (isset($_REQUEST['data'])) {
         if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") {
             $oData = Bootstrap::json_decode($_REQUEST['data']);
@@ -741,6 +748,8 @@ try {
             // G::RenderPage( 'publish', 'blank' );
             break;
         case 'saveFile':
+            $_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']);
+            $_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
             global $G_PUBLISH;
             $G_PUBLISH = new Publisher();
             global $RBAC;
@@ -754,6 +763,7 @@ try {
 
                 $sDir = "";
                 if (isset($_REQUEST['MAIN_DIRECTORY'])) {
+                    $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
                     $sDir = $_REQUEST['MAIN_DIRECTORY'];
                 }
                 switch ($sDir) {
@@ -775,6 +785,7 @@ try {
                 $content = base64_decode($content);
                 fwrite($fp, $content);
                 fclose($fp);
+                $sDirectory = $filter->xssFilterHard($sDirectory);
                 echo 'saved: ' . $sDirectory;
             }
             break;
@@ -830,8 +841,10 @@ try {
             *
             */
         case 'getVariablePrefix':
+            $_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']);
             $_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING';
-            echo G::LoadTranslation($_REQUEST['prefix']);
+            $prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix']));
+            echo G::LoadTranslation($prefix);
             break;
             /**
             * return an array with all Variables of Grid type

workflow/engine/methods/roles/data_rolesList.php

@@ -24,6 +24,9 @@
 
 require_once (PATH_RBAC . "model/RolesPeer.php");
 G::LoadClass( 'ArrayPeer' );
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 
 isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';
 

workflow/engine/methods/roles/data_rolesPermissions.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 $ROL_UID = $_GET['rUID'];
 $TYPE_DATA = $_GET["type"];
 

workflow/engine/methods/services/Rest/CURLMessage.php

@@ -122,7 +122,10 @@ abstract class CURLMessage
      */
     public function displayResponse ()
     {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
         $error = curl_error( $this->ch );
+        $error = $filter->xssFilterHard($error);
         $result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
         );
         if ($error != "") {
@@ -130,12 +133,15 @@ abstract class CURLMessage
             return $result;
         }
         $response = $this->output;
+        $response = $filter->xssFilterHard($response);
         $header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
         $result['header'] = substr( $response, 0, $header_size );
         $result['body'] = substr( $response, $header_size );
         $result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
         $result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
+        $result = $filter->xssFilterHard($result);
 
+        $this->type = $filter->xssFilterHard($this->type);
         echo $this->type . " Response: " . $response . "<BR>";
         foreach ($result as $index => $data) {
             if ($data != "") {

workflow/engine/methods/services/demoSoap.php

@@ -61,12 +61,17 @@ a.krumo-name {
 </style>
 <?php
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (isset( $_POST["epr"] )) {
     $_SESSION['END_POINT'] = $_POST["epr"];
 }
 $endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
-
+$endpoint = $filter->xssFilterHard($endpoint);
 $sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
+$sessionId = $filter->xssFilterHard($sessionId);
 ?>
 <form method="post" action="">
 

workflow/engine/methods/services/login_getStarted.php

@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
 $oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
 */
 $userName = 'admin';
-$userPass = 'The password introduced at the time of installing the application';
+$userPass = 'The password introduced at the time of installing the application (admin: if you do not put or changed the password)';
 if(isset($_SESSION['NW_PASSWORD'])){
   if($_SESSION['NW_PASSWORD'] != ''){
     $userPass = $_SESSION['NW_PASSWORD'];

workflow/engine/methods/setup/appCacheViewAjax.php

@@ -1,6 +1,9 @@
 <?php
 require_once ('classes/model/AppCacheView.php');
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
 $request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
 
 function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")

workflow/engine/methods/setup/emails_Ajax.php

@@ -22,6 +22,13 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
  
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+if(isset($_SERVER['SERVER_NAME'])) {
+$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']); 
+}
+
 global $RBAC;
 $RBAC->requirePermissions( 'PM_SETUP_ADVANCE' );
 

workflow/engine/methods/setup/language_Ajax.php

@@ -23,11 +23,16 @@
  */
 try {
 
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    
     G::LoadInclude( 'ajax' );
     if (isset( $_POST['form'] )) {
         $_POST = $_POST['form'];
     }
     $_POST['function'] = get_ajax_value( 'function' );
+    $_POST['function'] = $filter->xssFilterHard($_POST['function']);
     switch ($_POST['function']) {
         case 'savePredetermined':
             require_once "classes/model/Translation.php";

workflow/engine/methods/setup/skin_Ajax.php

@@ -1,4 +1,8 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 if (! isset( $_REQUEST['action'] )) {
     $res['success'] = false;
     $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
 function deleteSkin ()
 {
     try {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
+    
         if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
             throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
         }

workflow/engine/methods/setup/webServicesAjax.php

@@ -23,6 +23,10 @@
  */
 ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+//$_SESSION = $filter->xssFilterHard($_SESSION); 
 
 G::LoadClass( 'ArrayPeer' );
 if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) {
@@ -38,6 +42,8 @@ if ($_POST['action'] == '') {
     $_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : '';
 }
 
+$_POST = $filter->xssFilterHard($_POST);
+
 switch ($_POST['action']) {
     case 'showForm':
         global $G_PUBLISH;
@@ -1504,7 +1510,7 @@ try {
                 die();
                 break;
             default:
-
+                $_POST = $filter->xssFilterHard($_POST);
                 print_r( $_POST );
         }
     }

workflow/engine/methods/tracker/tracker_Ajax.php

@@ -22,6 +22,10 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 try {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    
     if (isset( $_POST['form']['action'] )) {
         $_POST['action'] = $_POST['form']['action'];
     }

workflow/engine/methods/users/usersAjax.php

@@ -1,4 +1,13 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+if(isset($_SESSION['USER_LOGGED'])) { 
+    $_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']); 
+}
+if(isset($_SESSION['USR_USERNAME'])) { 
+$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
+}
 
 global $RBAC;
 $result = new StdClass();

workflow/engine/methods/users/users_Ajax.php

@@ -23,6 +23,12 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 try {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    
     global $RBAC;
     switch ($RBAC->userCanAccess('PM_LOGIN')) {
         case - 2:

workflow/engine/src/ProcessMaker/BusinessModel/Lists.php

@@ -176,6 +176,7 @@ class Lists {
             $filtersData['date_to']     = $filters["dateTo"];
             $response['filters']        = $filtersData;
             $response['data']           = $result;
+            $filtersData['action']      = $filters["action"];
             $response['totalCount']     = $list->countTotal($userUid, $filtersData);
         } else {
             $response = $result;

workflow/engine/templates/appFolder/appFolderTree.php

@@ -56,7 +56,9 @@ $html = '
      }
  return 'Unknown';
  }
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_SERVER['HTTP_USER_AGENT'] = $filter->xssFilterHard($_SERVER['HTTP_USER_AGENT']);
 if((looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 8')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 7')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 6')){
     $html.="
         <div class='content' style='width:360px;height: expression( this.scrollHeight > 319 ? \'320px\' : \'auto\' ); /* sets max-height for IE */  max-height: 320px; /* sets max-height value for all standards-compliant browsers */  overflow:hidden;'>

workflow/engine/templates/cases/cases_Load.php

@@ -1,3 +1,8 @@
+<?php 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST['qs'] = $filter->xssFilterHard($_POST['qs']);
+?>
 <html>
   <style type="text/css">
    .Footer .content {

workflow/engine/templates/groups/groups_Tree.php

@@ -29,6 +29,8 @@
 
   $WIDTH_PANEL = 350;
 
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
   G::LoadClass('groups');
 
   $groups = new Groups();
@@ -47,6 +49,17 @@
     $UID         = htmlentities($group->getGrpUid());
     //$GROUP_TITLE = htmlentities($group->getGrpTitle());
     $GROUP_TITLE = strip_tags($group->getGrpTitle());
+    $ID_NEW         = G::LoadTranslation('ID_NEW');
+    $ID_GROUPS      = G::loadTranslation("ID_GROUPS");
+
+    $ID_EDIT     = $filter->xssFilterHard($ID_EDIT);
+    $ID_MEMBERS  = $filter->xssFilterHard($ID_MEMBERS);
+    $ID_DELETE   = $filter->xssFilterHard($ID_DELETE);
+    $UID         = $filter->xssFilterHard($UID);
+    $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE);
+    $ID_NEW      = $filter->xssFilterHard($ID_NEW);
+    $ID_GROUPS   = $filter->xssFilterHard($ID_GROUPS);
+
     $htmlGroup   .="
         <tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\">
           <td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td>
@@ -68,13 +81,13 @@
 					<div class="boxContentBlue">
 					  <table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0">
 					    <tr>
-						  <td class="userGroupTitle">'.G::loadTranslation("ID_GROUPS").'</td>
+						  <td class="userGroupTitle">'.$ID_GROUPS.'</td>
 						</tr>
 					  </table>
 					</div>
 					<div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
 					
-				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.G::LoadTranslation('ID_NEW').'</a></div>
+				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.$ID_NEW.'</a></div>
 				  	
 				  	<div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto">
 				  	  <table class="pagedTableDefault"><tr><td>' 

workflow/engine/templates/oauth2/authorize.php

@@ -1,6 +1,9 @@
 <?php
 require_once PATH_CORE . 'src/ProcessMaker/Services/OAuth2/PmPdo.php';
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
+$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"],"url");
 
 list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
 $port = empty($port) ? '' : ";port=$port";
@@ -34,7 +37,7 @@ $response = array(
     'supportedScope' => $this->scope,
     'requestedScope' => $requestedScope
 );
-
+$response = $filter->xssFilterHard($response,"url");
 ?>
 
 <table width="100%" cellspacing="0" cellpadding="0" border="0">

workflow/engine/xmlform/dynaforms/dynaforms_WebEntry.xml

@@ -171,7 +171,7 @@ var webEntry_generate = function(PRO_UID, TASKS, DYNAFORM) {
   	if(getField('WE_TYPE').value=='SINGLE')
      { oPanel1 = new leimnud.module.panel();
        oPanel1.options = {
-       	size	:{w:600,h:400},
+       	size	:{w:500,h:390},
        	position:{x:0,y:0,center:true},
        	title	:"Web Entry",
        	statusBar:true,