Merge branch 'master' of bitbucket.org:colosa/processmaker into PM-1765

2015-03-20 09:55:47 -04:00
parent 6dbfb1053e 9c7b459e74
commit 6ada29eea2
69 changed files with 540 additions and 104 deletions
--- a/gulliver/bin/tasks/pakeGulliver.php
+++ b/gulliver/bin/tasks/pakeGulliver.php
@@ -920,6 +920,8 @@ function run_create_poedit_file($task, $args) {
  G::LoadSystem('xmlform');
  G::LoadSystem('xmlformExtension');
  G::LoadSystem('form');
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();

  $langIdOut = $langId; //the output language, later we'll include the country too.
  $exceptionFields = array (
@@ -993,18 +995,25 @@ function run_create_poedit_file($task, $args) {
      }

      else {
+        $xmlfile = $filter->xssFilterHard($xmlfile);
+        $exceptionFields = $filter->xssFilterHard($exceptionFields);
        if( is_object($node) && ! in_array($node->type, $exceptionFields) ) {
          if( isset($node->value) && strpos($node->value, 'G::LoadTranslation') !== false ) {
            $exceptIndex ++;
            //print ($node->value);
          } else {
+            $node->name = $filter->xssFilterHard($node->name);
+            $node->type = $filter->xssFilterHard($node->type);
            printf("Error: xmlform %s has no english definition for %s [%s]\n", pakeColor::colorize($xmlfile, 'ERROR'), pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($node->type, 'INFO'));
            $xmlError ++;
          }
        } else {
          $exceptIndex ++;
-          if( $verboseFlag )
+          if( $verboseFlag ){
+            $node->name = $filter->xssFilterHard($node->name);
+            $node->type = $filter->xssFilterHard($node->type);
            printf("%s %s in %s\n", $node->type, pakeColor::colorize($node->name, 'INFO'), pakeColor::colorize($xmlfile, 'INFO'));
+          }
        }
      }
    }
--- a/gulliver/js/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css
+++ b/gulliver/js/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/window.css
@@ -4,7 +4,7 @@
 .clearlooks2, .clearlooks2 div, .clearlooks2 span, .clearlooks2 a {vertical-align:baseline; text-align:left; position:absolute; border:0; padding:0; margin:0; background:transparent; font-family:Arial,Verdana; font-size:11px; color:#000; text-decoration:none; font-weight:normal; width:auto; height:auto; overflow:hidden; display:block}

 /* General */
-.clearlooks2 {position:absolute; direction:ltr}
+.clearlooks2 {position:fixed !important; direction:ltr; top:20px !important;height:552px !important;}
 .clearlooks2 .mceWrapper {position:static}
 .mceEventBlocker {position:fixed; left:0; top:0; background:url(img/horizontal.gif) no-repeat 0 -75px; width:100%; height:100%}
 .clearlooks2 .mcePlaceHolder {border:1px solid #000; background:#888; top:0; left:0; opacity:0.5; -ms-filter:'alpha(opacity=50)'; filter:alpha(opacity=50)}
--- a/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/js/source_editor.js
+++ b/gulliver/js/tinymce/jscripts/tiny_mce/themes/advanced/js/source_editor.js
@@ -73,6 +73,6 @@ function resizeInputs() {

 	if (el) {
 		el.style.width = (vp.w - 20) + 'px';
-		el.style.height = (vp.h - 65) + 'px';
+		el.style.height = (vp.h - 122) + 'px';
 	}
 }
--- a/gulliver/methods/controls/calendar.php
+++ b/gulliver/methods/controls/calendar.php
@@ -25,6 +25,9 @@
 	td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;}
 </style>
 <?php
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);

 	$ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June",
 		"July", "August", "September", "October", "November", "December");
@@ -109,6 +112,11 @@
  }
  $numWeeks = ( $end_date - $start_date )/3600/24/7 ;
  
+  $dtmin_value = $filter->xssFilterHard($dtmin_value);
+  $dtmax_value = $filter->xssFilterHard($dtmax_value);
+  $dt_currentYear = $filter->xssFilterHard($dt_currentYear);
+  $dt_currentMonth = $filter->xssFilterHard($dt_currentMonth);
+
 //print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value ";
 ?>
 <input type='hidden' name='dtmin_value' id='dtmin_value' value='<?php echo $dtmin_value ?>' >
--- a/gulliver/system/class.dbMaintenance.php
+++ b/gulliver/system/class.dbMaintenance.php
@@ -305,8 +305,12 @@ class DataBaseMaintenance
    function backupData ()
    {
        $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
        foreach ($aTables as $table) {
            if ($this->dumpData( $table ) !== false) {
+                $this->outfile = $filter->xssFilterHard($this->outfile);
                printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" );
            } else {
                return false;
@@ -343,6 +347,11 @@ class DataBaseMaintenance
    {

        $aTables = $this->getTablesList();
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $aTables = $filter->xssFilterHard($aTables);
+        $this->tmpDir = $filter->xssFilterHard($this->tmpDir);
+        $this->infile = $filter->xssFilterHard($this->infile);

        foreach ($aTables as $table) {
            if (isset( $type ) && $type == 'sql') {
@@ -467,6 +476,7 @@ class DataBaseMaintenance

        G::LoadSystem('inputfilter');
        $filter = new InputFilter();
+        $table = $filter->xssFilterHard($table);
        $table = $filter->validateInput($table, 'nosql');
        $bytesSaved = 0;
        $query = "SELECT * FROM `%s`";
@@ -492,6 +502,7 @@ class DataBaseMaintenance
            $data .= ");\n";
        }

+        $data = $filter->xssFilterHard($data);
        printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
        return $data;
    }
--- a/gulliver/system/class.dbconnection.php
+++ b/gulliver/system/class.dbconnection.php
@@ -186,6 +186,10 @@ class DBConnection
    {
        global $_SESSION;
        global $_SERVER;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_SERVER = $filter->xssFilterHard($_SERVER);
+        $_SESSION = $filter->xssFilterHard($_SESSION);
        if (is_null( $errorLevel ))
        if (isset( $this->errorLevel )) {
            $errorLevel = $this->errorLevel;
@@ -207,7 +211,7 @@ class DBConnection
            print "</textarea></td></tr></table>";
        }
        //G::setErrorHandler ( );
-        G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
+        //G::customErrorLog( 'DB_Error', $obj->code . ' ' . $obj->message . '-' . $obj->userinfo, '', '' );
        if ($errorLevel == DB_ERROR_SHOW_AND_STOP || $errorLevel == DB_ERROR_SHOWALL_AND_STOP) {
            die(); //stop
        }
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -1073,6 +1073,12 @@ class G
     */
    public static function streamFile ($file, $download = false, $downloadFileName = '')
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $file = $filter->xssFilterHard($file);
+        if(isset($_SERVER['REQUEST_URI'])) {
+            $_SERVER['REQUEST_URI'] = $filter->xssFilterHard($_SERVER['REQUEST_URI'],"url");
+        }
        require_once (PATH_THIRDPARTY . 'jsmin/jsmin.php');
        $folderarray = explode( '/', $file );
        $typearray = explode( '.', basename( $file ) );
@@ -1081,8 +1087,11 @@ class G

        //trick to generate the translation.language.js file , merging two files
        if (strtolower( $typefile ) == 'js' && $typearray[0] == 'translation') {
+            $download = $filter->xssFilterHard($download);
+            $downloadFileName = $filter->xssFilterHard($downloadFileName);
            G::sendHeaders( $filename, 'text/javascript', $download, $downloadFileName );
            $output = G::streamJSTranslationFile( $filename, $typearray[1] );
+            $output = $filter->xssFilterHard($output);
            print $output;
            return;
        }
@@ -1091,6 +1100,7 @@ class G
        if (strtolower( $typefile ) == 'css' && $folderarray[count( $folderarray ) - 2] == 'css') {
            G::sendHeaders( $filename, 'text/css', $download, $downloadFileName );
            $output = G::streamCSSBigFile( $typearray[0] );
+            $output = $filter->xssFilterHard($output);
            print $output;
            return;
        }
@@ -3140,6 +3150,9 @@ class G
     */
    public function pr ($var)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $var = $filter->xssFilterHard($var);
        print ("<pre>") ;
        print_r( $var );
        print ("</pre>") ;
--- a/gulliver/system/class.pagedTable.php
+++ b/gulliver/system/class.pagedTable.php
@@ -778,6 +778,13 @@ class pagedTable
     */
    public function renderTable ($block = '')
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $this->orderBy  = $filter->xssFilterHard($this->orderBy);
+        $this->currentPage  = $filter->xssFilterHard($this->currentPage);
+        $this->id  = $filter->xssFilterHard($this->id);
+        $this->name  = $filter->xssFilterHard($this->name);
+        $this->ownerPage  = $filter->xssFilterHard($this->ownerPage);
        // DBConnection
        $this->prepareQuery();
        //Query for get the number of rows
@@ -797,6 +804,9 @@ class pagedTable
            $this->tpl->assign( 'pagedTable_Id', $this->id );
            $this->tpl->assign( 'pagedTable_Name', $this->name );
            $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
+            $this->xmlForm->home  = $filter->xssFilterHard($this->xmlForm->home);
+            $this->filterForm  = $filter->xssFilterHard($this->filterForm);
+            $this->menu  = $filter->xssFilterHard($this->menu);
            if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                if ($this->menu === '') {
@@ -893,10 +903,14 @@ class pagedTable
            $this->tpl->assign( 'rowId', 'insertAtLast' );
            if ($this->currentPage > 1) {
                $firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1';
+                $firstUrl  = $filter->xssFilterHard($firstUrl);
                $firstAjax = $this->id . ".doGoToPage(1);return false;";
+                $firstAjax  = $filter->xssFilterHard($firstAjax);
                $prevpage = $this->currentPage - 1;
                $prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage;
+                $prevUrl  = $filter->xssFilterHard($prevUrl);
                $prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;";
+                $prevAjax  = $filter->xssFilterHard($prevAjax);
                $first = "<a href=\"" . htmlentities( $firstUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $firstAjax . "\" class='firstPage'>&nbsp;</a>";
                $prev = "<a href=\"" . htmlentities( $prevUrl, ENT_QUOTES, 'utf-8' ) . "\"  onclick=\"" . $prevAjax . "\" class='previousPage'>&nbsp;</a>";
            } else {
@@ -905,10 +919,14 @@ class pagedTable
            }
            if ($this->currentPage < $this->totpages) {
                $lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages;
+                $lastUrl  = $filter->xssFilterHard($lastUrl);
                $lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;";
+                $lastAjax  = $filter->xssFilterHard($lastAjax);
                $nextpage = $this->currentPage + 1;
                $nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage;
+                $nextUrl  = $filter->xssFilterHard($nextUrl);
                $nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;";
+                $nextAjax  = $filter->xssFilterHard($nextAjax);
                $next = "<a href=\"" . htmlentities( $nextUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $nextAjax . "\" class='nextPage'>&nbsp;</a>";
                $last = "<a href=\"" . htmlentities( $lastUrl, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $lastAjax . "\" class='lastPage'>&nbsp;</a>";
            } else {
@@ -920,6 +938,7 @@ class pagedTable
                if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) {
                    $pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;";
                    if ($r != $this->currentPage) {                        
+                        $pageAjax  = $filter->xssFilterHard($pageAjax);
                        $pagesEnum .= "&nbsp;<a href=\"" . htmlentities( $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . "</a>";
                    } else {
                        $pagesEnum .= "&nbsp;<a>" . $r . "</a>";
--- a/rbac/engine/templates/testAuthenticationSource.php
+++ b/rbac/engine/templates/testAuthenticationSource.php
@@ -22,6 +22,10 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 * 
 */
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
+
  global $G_TABLE;
  global $G_CONTENT;
  global $HTTP_SESSION_VARS;
@@ -88,7 +92,8 @@

        $oResult = $oLdap->search($rootDn, $sFilter, $aParams);
        if (PEAR::isError($oResult)) {
-        print ( $oLdap->message);
+            $oLdap->message = $filter->xssFilterHard($oLdap->message);
+            print ( $oLdap->message);
            return $oResult;
        }
 /*
--- a/workflow/engine/bin/tasks/cliMafe.php
+++ b/workflow/engine/bin/tasks/cliMafe.php
@@ -40,6 +40,10 @@ CLI::taskRun('run_create_translation');

 function run_create_translation($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
    $rootDir = realpath(__DIR__."/../../../../");
    $app = new Maveriks\WebApplication();
    $app->setRootDir($rootDir);
@@ -53,7 +57,6 @@ function run_create_translation($args, $opts)
    foreach ($workspaces as $workspace) {
        try {
            echo "Updating labels for workspace " . pakeColor::colorize($workspace->name, "INFO") . "\n";
-            $app->loadEnvironment($workspace->name, $loadConstants);
            $translation->generateTransaltionMafe($lang);
        } catch (Exception $e) {
            echo "Errors upgrading labels for workspace " . CLI::info($workspace->name) . ": " . CLI::error($e->getMessage()) . "\n";
--- a/workflow/engine/bin/tasks/cliWorkspaces.php
+++ b/workflow/engine/bin/tasks/cliWorkspaces.php
@@ -228,6 +228,10 @@ function run_info($args, $opts) {
 }

 function run_workspace_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
  $workspaces = get_workspaces_from_args($args);
  $first = true;
  $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
 }

 function run_translation_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
  $workspaces = get_workspaces_from_args($args);
  $first = true;
  foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
 }

 function run_cacheview_upgrade($args, $opts) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $opts = $filter->xssFilterHard($opts);
+  $args = $filter->xssFilterHard($args);
  $workspaces = get_workspaces_from_args($args);
  $lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
  foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
 }

 function database_upgrade($command, $args) {
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $command = $filter->xssFilterHard($command);
+  $args = $filter->xssFilterHard($args);
  $workspaces = get_workspaces_from_args($args);
  $checkOnly = (strcmp($command, "check") == 0);
  foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {

 function run_database_generate_self_service_by_value($args, $opts)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $opts = $filter->xssFilterHard($opts);
+    $args = $filter->xssFilterHard($args);
    try {
        $arrayWorkspace = get_workspaces_from_args($args);

--- a/workflow/engine/classes/class.processMap.php
+++ b/workflow/engine/classes/class.processMap.php
@@ -2356,7 +2356,11 @@ class processMap
              $G_PUBLISH->AddContent('propeltable', 'paged-table', '/cases/cases_Scheduler_List', $oCriteria, array('CONFIRM' => G::LoadTranslation('ID_MSG_CONFIRM_DELETE_CASE_SCHEDULER')));
              G::RenderPage('publish');
              //return true; */
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
            $schedulerPath = SYS_URI . "cases/cases_Scheduler_List";
+            $schedulerPath = $filter->xssFilterHard($schedulerPath);
+            $sProcessUID = $filter->xssFilterHard($sProcessUID);
            $html = "<iframe  WIDTH=820 HEIGHT=530 FRAMEBORDER=0 src='" . $schedulerPath . '?PRO_UID=' . $sProcessUID . "'></iframe>";
            echo $html;
        } catch (Exception $oError) {
--- a/workflow/engine/classes/class.propelTable.php
+++ b/workflow/engine/classes/class.propelTable.php
@@ -560,6 +560,12 @@ class propelTable
     */
    public function renderTable ($block = '', $fields = '')
    { 
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $fields = $filter->xssFilterHard($fields);
+        $this->orderBy = $filter->xssFilterHard($this->orderBy);
+        $this->currentPage = $filter->xssFilterHard($this->currentPage);
+        
        //Render Title
        $thereisnotitle = true;
        foreach ($this->fields as $r => $rval) {
@@ -603,6 +609,11 @@ class propelTable
            $this->tpl->assign( 'pagedTable_Name', $this->name );
            $this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
            $this->tpl->assign( "title", $this->title );
+            
+            $this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
+            $this->filterForm = $filter->xssFilterHard($this->filterForm);
+            $this->menu = $filter->xssFilterHard($this->menu);
+            
            if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
                $filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
                if ($this->menu === '') {
@@ -839,6 +850,12 @@ class propelTable
                }
                $this->tpl->assign( "pagesEnum", $pagesEnum );
            }
+            
+            $this->name = $filter->xssFilterHard($this->name);
+            $this->orderBy = $filter->xssFilterHard($this->orderBy);
+            $this->currentPage = $filter->xssFilterHard($this->currentPage);
+            $this->id = $filter->xssFilterHard($this->id);
+            
            ?>

            <script language='JavaScript'>
--- a/workflow/engine/classes/class.webdav.php
+++ b/workflow/engine/classes/class.webdav.php
@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
     */
    public function GET(&$options)
    {
-        $paths = $this->paths;
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $options = $filter->xssFilterHard($options);
+        $paths = $filter->xssFilterHard($this->paths);

        $pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
        if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
            $fsFile = $pathClasses . $paths[1];
+            $fsFile = $filter->xssFilterHard($fsFile);
            if (count($paths) == 2 && file_exists($fsFile)) {
                $content = file_get_contents($fsFile);
+                $content = $filter->xssFilterHard($content);
                print $content;
                header("Content-Type: " . mime_content_type($fsFile));
                header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
            if (count($paths) == 4 && $paths[2] == 'xmlforms') {
                $pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
                $fsFile = $pathXmlform . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                if (count($paths) == 4 && file_exists($fsFile)) {
                    $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                    print $content;
                    header("Content-Type: " . mime_content_type($fsFile));
                    header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
            if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
                $pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
                $fsFile = $pathTemplates . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                if (count($paths) == 4 && file_exists($fsFile)) {
                    $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                    print $content;
                    header("Content-Type: " . mime_content_type($fsFile));
                    header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
            if (count($paths) == 4 && $paths[2] == 'public_html') {
                $pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
                $fsFile = $pathPublic . $paths[3];
+                $fsFile = $filter->xssFilterHard($fsFile);
                if (count($paths) == 4 && file_exists($fsFile)) {
                    $content = file_get_contents($fsFile);
+                    $content = $filter->xssFilterHard($content);
                    print $content;
                    header("Content-Type: " . mime_content_type($fsFile));
                    header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -967,11 +978,15 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
     */
    public function checkLock($path)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $path = $filter->validateInput($path, 'nosql');
        $result = false;

        $query = "SELECT owner, token, expires, exclusivelock
              FROM locks
-            WHERE path = '$path' ";
+            WHERE path = '%s' ";
+        $query = $filter->preventSqlInjection($query, array($path));
        $res = mysql_query($query);

        if ($res) {
--- a/workflow/engine/classes/class.wsTools.php
+++ b/workflow/engine/classes/class.wsTools.php
@@ -1842,12 +1842,14 @@ class workspaceTools
            throw $e;
        }
    }
+
    /**
     * Migrate all cases to New list
     *
     * return all LIST TABLES with data
     */
-    public function migrateList ($workSpace){
+    public function migrateList ($workSpace)
+    {
        $this->initPropel(true);
        $appCache = new AppCacheView();
        G::LoadClass("case");
@@ -1887,32 +1889,39 @@ class workspaceTools
        
        //Select data TO_DO OR DRAFT
        $inbCriteria = $appCache->getSelAllColumns();
-        $inbCriteria->add(AppCacheViewPeer::APP_STATUS, "CANCELLED", CRITERIA::NOT_EQUAL);
        $rsCriteria = AppCacheViewPeer::doSelectRS($inbCriteria);
        $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
+
        //Insert new data LIST_INBOX
        while ($rsCriteria->next()) {
-              $row = $rsCriteria->getRow();
-              if($row["DEL_THREAD_STATUS"] == 'OPEN'){
-                  $listInbox = new ListInbox();
-                  $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]);
-                  $listInbox->setDeleted(false);
-                  $listInbox->create($row);
-              } else {
-                 // create participated List when the thread is CLOSED
-                 $listParticipatedHistory = new ListParticipatedHistory();
-                 $listParticipatedHistory->remove($row['APP_UID'],$row['DEL_INDEX']);
-                 $listParticipatedHistory = new ListParticipatedHistory();
-                 $listParticipatedHistory->create($row);
-                 $listParticipatedLast = new ListParticipatedLast();
-                 $listParticipatedLast->remove($row['APP_UID'], $row['USR_UID']);
-                 $listParticipatedLast = new ListParticipatedLast();
-                 $listParticipatedLast->create($row);        
-                 $listParticipatedLast = new ListParticipatedLast();
-                 $listParticipatedLast->refresh($row);
-              }
+            $row = $rsCriteria->getRow();
+            $isSelfService = ($row['USR_UID'] == '') ? true : false;
+            if($row["DEL_THREAD_STATUS"] == 'OPEN'){
+                $row["DEL_PREVIOUS_USR_UID"] = $row["PREVIOUS_USR_UID"];
+                $listInbox = new ListInbox();
+                $listInbox->remove($row["APP_UID"],$row["DEL_INDEX"]);
+                $listInbox->setDeleted(false);
+                $listInbox->create($row, $isSelfService);
+            } else {
+                // create participated List when the thread is CLOSED
+                $listParticipatedHistory = new ListParticipatedHistory();
+                $listParticipatedHistory->remove($row['APP_UID'], $row['DEL_INDEX']);
+                $listParticipatedHistory = new ListParticipatedHistory();
+                $listParticipatedHistory->create($row);
+
+                $oCriteria = new Criteria('workflow');
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $row['APP_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $row['USR_UID']);
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->create($row);
+                $listParticipatedLast = new ListParticipatedLast();
+                $listParticipatedLast->refresh($row);
+            }
              
        }
+
        CLI::logging("> Completed table LIST_INBOX\n");
        //With this List is populated the LIST_PARTICIPATED_HISTORY and LIST_PARTICIPATED_LAST
        CLI::logging("> Completed table LIST_PARTICIPATED_HISTORY\n");
@@ -1939,7 +1948,13 @@ class workspaceTools
        $delaycriteria->addSelectColumn(AppDelayPeer::PRO_UID);
        $delaycriteria->addSelectColumn(AppDelayPeer::APP_DEL_INDEX);
        $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_NUMBER);
-        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID, Criteria::INNER_JOIN );
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::USR_UID);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::APP_STATUS);
+        $delaycriteria->addSelectColumn(AppCacheViewPeer::TAS_UID);
+
+        $delaycriteria->addJoin( AppCacheViewPeer::APP_UID, AppDelayPeer::APP_UID . ' AND ' . AppCacheViewPeer::DEL_INDEX . ' = ' . AppDelayPeer::APP_DEL_INDEX, Criteria::INNER_JOIN );
+        $delaycriteria->add(AppDelayPeer::APP_DISABLE_ACTION_USER, "0", CRITERIA::EQUAL);
+        $delaycriteria->add(AppDelayPeer::APP_TYPE, "PAUSE", CRITERIA::EQUAL);
        $rsCriteria = AppDelayPeer::doSelectRS($delaycriteria);
        $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC);
        //Insert new data LIST_PAUSED
@@ -1948,7 +1963,6 @@ class workspaceTools
              $data = $row;
              $data["DEL_INDEX"] = $row["APP_DEL_INDEX"];
              $listPaused = new ListPaused();
-              $listPaused->remove($data["APP_UID"],$data["DEL_INDEX"]);
              $listPaused->setDeleted(false);
              $listPaused->create($data);
        }
@@ -2006,6 +2020,7 @@ class workspaceTools
        $this->listFirstExecution('insert');
        return true;
    }
+
    /**
     * This function checks if List tables are going to migrated 
     *
--- a/workflow/engine/classes/model/AdditionalTables.php
+++ b/workflow/engine/classes/model/AdditionalTables.php
@@ -447,10 +447,10 @@ class AdditionalTables extends BaseAdditionalTables
        }
        G::LoadSystem('inputfilter');
        $filter = new InputFilter();        
-        $sort = $filter->validateInput($_POST['sort']);
        $sClassPeerName = $filter->validateInput($sClassPeerName);

        if (isset($_POST['sort'])) {
+            $_POST['sort'] = $filter->validateInput($_POST['sort']);
            if ($_POST['dir'] == 'ASC') {
                if ($keyOrderUppercase) {
                    eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");');
--- a/workflow/engine/classes/model/ListInbox.php
+++ b/workflow/engine/classes/model/ListInbox.php
@@ -49,8 +49,11 @@ class ListInbox extends BaseListInbox

            // remove and create participated last
            if (!$isSelfService) {
-                $listParticipatedLast = new ListParticipatedLast();
-                $listParticipatedLast->remove($data['APP_UID'], $data['USR_UID']);
+                $oCriteria = new Criteria('workflow');
+                $oCriteria->add(ListParticipatedLastPeer::APP_UID, $data['APP_UID']);
+                $oCriteria->add(ListParticipatedLastPeer::USR_UID, $data['USR_UID']);
+                ListParticipatedLastPeer::doDelete($oCriteria);
+
                $listParticipatedLast = new ListParticipatedLast();
                $listParticipatedLast->create($data);
                $listParticipatedLast = new ListParticipatedLast();
@@ -367,6 +370,11 @@ class ListInbox extends BaseListInbox
    {
        $criteria = new Criteria();
        $criteria->add( ListInboxPeer::USR_UID, $usr_uid, Criteria::EQUAL );
+        if ($filters['action'] == 'draft') {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'DRAFT', Criteria::EQUAL );
+        } else {
+            $criteria->add( ListInboxPeer::APP_STATUS, 'TO_DO', Criteria::EQUAL );
+        }
        self::loadFilters($criteria, $filters);
        $total = ListInboxPeer::doCount( $criteria );
        return (int)$total;
--- a/workflow/engine/classes/model/ListMyInbox.php
+++ b/workflow/engine/classes/model/ListMyInbox.php
@@ -123,6 +123,7 @@ class ListMyInbox extends BaseListMyInbox

        if ($data['DEL_INDEX'] == 1 && $data['APP_STATUS'] == 'TO_DO') {
            $data['APP_CREATE_DATE'] = $data['APP_UPDATE_DATE'];
+            $this->remove($data['APP_UID'], $data['USR_UID']);
            $this->create($data);
        } else {
            unset($data['USR_UID']);
--- a/workflow/engine/classes/model/ListParticipatedLast.php
+++ b/workflow/engine/classes/model/ListParticipatedLast.php
@@ -143,9 +143,9 @@ class ListParticipatedLast extends BaseListParticipatedLast
     * @throws type
     *
     */
-    public function remove ($app_uid, $usr_uid)
+    public function remove ($app_uid, $usr_uid, $del_index)
    {
-        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid);
+        $existField = ListParticipatedLastPeer::retrieveByPK($app_uid, $usr_uid, $del_index);
        if (! is_null( $existField )) {
            $users = new Users();
            $users->refreshTotal($usr_uid, 'removed', 'participated');
--- a/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php
+++ b/workflow/engine/classes/model/map/ListParticipatedLastMapBuilder.php
@@ -69,7 +69,7 @@ class ListParticipatedLastMapBuilder

        $tMap->addPrimaryKey('USR_UID', 'UsrUid', 'string', CreoleTypes::VARCHAR, true, 32);

-        $tMap->addColumn('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);
+        $tMap->addPrimaryKey('DEL_INDEX', 'DelIndex', 'int', CreoleTypes::INTEGER, true, null);

        $tMap->addColumn('TAS_UID', 'TasUid', 'string', CreoleTypes::VARCHAR, true, 32);

--- a/workflow/engine/classes/model/om/BaseListParticipatedLast.php
+++ b/workflow/engine/classes/model/om/BaseListParticipatedLast.php
@@ -1686,6 +1686,7 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent

        $criteria->add(ListParticipatedLastPeer::APP_UID, $this->app_uid);
        $criteria->add(ListParticipatedLastPeer::USR_UID, $this->usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $this->del_index);

        return $criteria;
    }
@@ -1703,6 +1704,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent

        $pks[1] = $this->getUsrUid();

+        $pks[2] = $this->getDelIndex();
+
        return $pks;
    }

@@ -1719,6 +1722,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent

        $this->setUsrUid($keys[1]);

+        $this->setDelIndex($keys[2]);
+
    }

    /**
@@ -1734,8 +1739,6 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent
    public function copyInto($copyObj, $deepCopy = false)
    {

-        $copyObj->setDelIndex($this->del_index);
-
        $copyObj->setTasUid($this->tas_uid);

        $copyObj->setProUid($this->pro_uid);
@@ -1781,6 +1784,8 @@ abstract class BaseListParticipatedLast extends BaseObject implements Persistent

        $copyObj->setUsrUid(''); // this is a pkey column, so set to default value

+        $copyObj->setDelIndex('0'); // this is a pkey column, so set to default value
+
    }

    /**
--- a/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php
+++ b/workflow/engine/classes/model/om/BaseListParticipatedLastPeer.php
@@ -487,6 +487,9 @@ abstract class BaseListParticipatedLastPeer
            $comparison = $criteria->getComparison(ListParticipatedLastPeer::USR_UID);
            $selectCriteria->add(ListParticipatedLastPeer::USR_UID, $criteria->remove(ListParticipatedLastPeer::USR_UID), $comparison);

+            $comparison = $criteria->getComparison(ListParticipatedLastPeer::DEL_INDEX);
+            $selectCriteria->add(ListParticipatedLastPeer::DEL_INDEX, $criteria->remove(ListParticipatedLastPeer::DEL_INDEX), $comparison);
+
        } else {
            $criteria = $values->buildCriteria(); // gets full criteria
            $selectCriteria = $values->buildPkeyCriteria(); // gets criteria w/ primary key(s)
@@ -560,10 +563,12 @@ abstract class BaseListParticipatedLastPeer

                $vals[0][] = $value[0];
                $vals[1][] = $value[1];
+                $vals[2][] = $value[2];
            }

            $criteria->add(ListParticipatedLastPeer::APP_UID, $vals[0], Criteria::IN);
            $criteria->add(ListParticipatedLastPeer::USR_UID, $vals[1], Criteria::IN);
+            $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $vals[2], Criteria::IN);
        }

        // Set the correct dbName
@@ -626,10 +631,11 @@ abstract class BaseListParticipatedLastPeer
     * Retrieve object using using composite pkey values.
     * @param string $app_uid
       * @param string $usr_uid
+       * @param int $del_index
        * @param      Connection $con
     * @return     ListParticipatedLast
     */
-    public static function retrieveByPK($app_uid, $usr_uid, $con = null)
+    public static function retrieveByPK($app_uid, $usr_uid, $del_index, $con = null)
    {
        if ($con === null) {
            $con = Propel::getConnection(self::DATABASE_NAME);
@@ -637,6 +643,7 @@ abstract class BaseListParticipatedLastPeer
        $criteria = new Criteria();
        $criteria->add(ListParticipatedLastPeer::APP_UID, $app_uid);
        $criteria->add(ListParticipatedLastPeer::USR_UID, $usr_uid);
+        $criteria->add(ListParticipatedLastPeer::DEL_INDEX, $del_index);
        $v = ListParticipatedLastPeer::doSelect($criteria, $con);

        return !empty($v) ? $v[0] : null;
--- a/workflow/engine/classes/triggers/api/class.zimbraApi.php
+++ b/workflow/engine/classes/triggers/api/class.zimbraApi.php
@@ -803,6 +803,9 @@ class Zimbra
    protected function message($message)
    {
        if ($this->debug) {
+            G::LoadSystem('inputfilter');
+            $filter = new InputFilter();
+            $message = $filter->xssFilterHard($message);
            echo $message;
        }
    }
@@ -823,6 +826,9 @@ class Zimbra
     */
    protected function soapRequest($body, $header = false, $connecting = false)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        
        if (!$connecting && !$this->_connected) {
            throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
        }
@@ -842,7 +848,9 @@ class Zimbra

        curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);

-        if (!($response = curl_exec($this->_curl))) {
+        $this->_curl = $filter->xssFilterHard($this->_curl,"url");
+        $response = curl_exec($this->_curl);
+        if (!$response) {
            $this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
            return false;
        } elseif (strpos($response, '<soap:Body><soap:Fault>') !== false) {
--- a/workflow/engine/config/schema.xml
+++ b/workflow/engine/config/schema.xml
@@ -4017,7 +4017,7 @@
        </vendor>
        <column name="APP_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
        <column name="USR_UID" type="VARCHAR" size="32" required="true" primaryKey="true" default=""/>
-        <column name="DEL_INDEX" type="INTEGER" required="true" default="0"/>
+        <column name="DEL_INDEX" type="INTEGER" required="true" primaryKey="true" default=""/>
        <column name="TAS_UID" type="VARCHAR" size="32" required="true" default=""/>
        <column name="PRO_UID" type="VARCHAR" size="32" required="true" default=""/>
        <column name="APP_NUMBER" type="INTEGER" required="true" default="0"/>
--- a/workflow/engine/controllers/adminProxy.php
+++ b/workflow/engine/controllers/adminProxy.php
@@ -1009,6 +1009,12 @@ class adminProxy extends HttpProxyController
    public function uploadImage()
    {
        //!dataSystem
+        
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_SERVER["REQUEST_URI"] = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
+        $_FILES = $filter->xssFilterHard($_FILES);
+        
        $ainfoSite = explode("/", $_SERVER["REQUEST_URI"]);
        $dir       = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos";
        global $_FILES;
@@ -1036,7 +1042,9 @@ class adminProxy extends HttpProxyController
        $uploaded = 0;
        $failed   = 0;
        
-        if (in_array($_FILES['img']['type'], $allowedType)) {
+        $files_img_type = $filter->xssFilterHard($_FILES['img']['type']);
+
+        if (in_array($files_img_type, $allowedType)) {
             // max upload file is 500 KB
            if ($_FILES['img']['size'] <= 500000) {
                $formf     = $_FILES['img'];
@@ -1055,7 +1063,7 @@ class adminProxy extends HttpProxyController
                        $arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName);
                        $typeMime  = $arrayInfo[2];
                    }
-                    if ($typeMime == $allowedTypeArray['index' . base64_encode($_FILES['img']['type'])]) {
+                    if ($typeMime == $allowedTypeArray['index' . base64_encode($files_img_type)]) {
                        $error = false;
                        try {
                            list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName);
@@ -1075,10 +1083,10 @@ class adminProxy extends HttpProxyController
            } else {
                $failed = "2";
            }
-        } elseif ($_FILES['img']['type'] != '') {
+        } elseif ($files_img_type != '') {
            $failed = "1";
        }
-        echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $_FILES['img']['type'] . '"}';
+        echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
        exit();
    }

--- a/workflow/engine/controllers/installer.php
+++ b/workflow/engine/controllers/installer.php
@@ -433,6 +433,9 @@ class Installer extends Controller
     */
    public function mysqlQuery ($sql)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $sql = $filter->preventSqlInjection($sql, Array());
        $this->installLog( $sql );
        $query = @mysql_query( $sql, $this->link );
        if (! $query) {
@@ -450,6 +453,9 @@ class Installer extends Controller
     */
    public function mssqlQuery ($sql)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $sql = $filter->preventSqlInjection($sql, Array());
        $this->installLog( $sql );
        $query = @mssql_query( $sql, $this->link );
        if (! $query) {
@@ -587,9 +593,13 @@ class Installer extends Controller
     */
    public function setGrantPrivilegesMySQL ($psUser, $psPassword, $psDatabase, $host)
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $host = ($host == 'localhost' || $host == '127.0.0.1' ? 'localhost' : '%');

-        $sql = sprintf( "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION", $psDatabase, $psUser, $host, $psPassword );
+        $query = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%s' IDENTIFIED BY '%s' WITH GRANT OPTION";
+        $sql = sprintf( $query, $psDatabase, $psUser, $host, $psPassword );
+        $sql = $filter->preventSqlInjection($query, array($psDatabase, $psUser, $host, $psPassword ));
        $query = @mysql_query( $sql, $this->link );

        if (! $query) {
@@ -1200,25 +1210,39 @@ class Installer extends Controller

    public function checkDatabases ()
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $this->setResponseType( 'json' );
        $info = new stdclass();

        if ($_REQUEST['db_engine'] == 'mysql') {
            $link = @mysql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mysql_query( "show databases like '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "show databases like '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mysql_query( $query, $link );
            $info->wfDatabaseExists = (@mysql_num_rows( $dataset ) > 0);
        } else if ($_REQUEST['db_engine'] == 'mssql') {
            $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mssql_query( $query , $link );
            $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
        } else if ($_REQUEST['db_engine'] == 'sqlsrv') {
            $arguments = array("UID" => $_REQUEST['db_username'], "PWD" => $_REQUEST['db_password']);
            $link = @sqlsrv_connect( $_REQUEST['db_hostname'], $arguments);
-            $dataset = @sqlsrv_query( $link, "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'");
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @sqlsrv_query( $link, $query );
            $info->wfDatabaseExists = (@sqlsrv_num_rows( $dataset ) > 0);
        } else {
            $link = @mssql_connect( $_REQUEST['db_hostname'], $_REQUEST['db_username'], $_REQUEST['db_password'] );
-            $dataset = @mssql_query( "select * from sys.databases where name = '" . $_REQUEST['wfDatabase'] . "'", $link );
+            $_REQUEST['wfDatabase'] = $filter->validateInput($_REQUEST['wfDatabase'], 'nosql');
+            $query = "select * from sys.databases where name = '%s' ";
+            $query = $filter->preventSqlInjection( $query, array($_REQUEST['wfDatabase']) );
+            $dataset = @mssql_query( $query , $link );
            $info->wfDatabaseExists = (@mssql_num_rows( $dataset ) > 0);
        }

@@ -1233,6 +1257,8 @@ class Installer extends Controller

    private function testMySQLconnection ()
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $info = new StdClass();
        $info->result = false;
        $info->message = '';
@@ -1256,7 +1282,11 @@ class Installer extends Controller
            $info->message .= G::LoadTranslation('ID_MYSQL_CREDENTIALS_WRONG');
            return $info;
        }
-        $res = @mysql_query( "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'$db_username'@'$db_hostname'\" OR GRANTEE = \"'$db_username'@'%'\") ", $link );
+        $db_username = $filter->validateInput($db_username, 'nosql');
+        $db_hostname = $filter->validateInput($db_hostname, 'nosql');
+        $query = "SELECT * FROM `information_schema`.`USER_PRIVILEGES` where (GRANTEE = \"'%s'@'%s'\" OR GRANTEE = \"'%s'@'%'\") ";
+        $query = $filter->preventSqlInjection($query, array($db_username, $db_hostname, $db_username));
+        $res = @mysql_query( $query, $link );
        $row = @mysql_fetch_array( $res );
        $hasSuper = is_array( $row );
        @mysql_free_result( $res );
--- a/workflow/engine/data/mysql/schema.sql
+++ b/workflow/engine/data/mysql/schema.sql
@@ -2285,7 +2285,7 @@ CREATE TABLE `LIST_PARTICIPATED_LAST`
 	`DEL_DUE_DATE` DATETIME,
 	`DEL_PRIORITY` VARCHAR(32) default '3' NOT NULL,
 	`DEL_THREAD_STATUS` VARCHAR(32) default 'OPEN' NOT NULL,
-	PRIMARY KEY (`APP_UID`,`USR_UID`)
+	PRIMARY KEY (`APP_UID`,`USR_UID`,`DEL_INDEX`)
 )ENGINE=InnoDB  DEFAULT CHARSET='utf8' COMMENT='Participated last list';
 #-----------------------------------------------------------------------------
 #-- LIST_COMPLETED
--- a/workflow/engine/methods/appFolder/appFolderAjax.php
+++ b/workflow/engine/methods/appFolder/appFolderAjax.php
@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 if (! isset ($_SESSION ['USER_LOGGED'])) {
    $res ['success'] = false;
    $res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');
--- a/workflow/engine/methods/cases/ajaxListener.php
+++ b/workflow/engine/methods/cases/ajaxListener.php
@@ -33,6 +33,12 @@
 //require_once 'classes/model/AppDelay.php';
 //require_once 'classes/model/Process.php';
 //require_once 'classes/model/Task.php';
+
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_POST = $filter->xssFilterHard($_POST);
+
 if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
    if (!isset($_SESSION['USER_LOGGED'])) {
        $response = new stdclass();
--- a/workflow/engine/methods/cases/caseMessageHistory_Ajax.php
+++ b/workflow/engine/methods/cases/caseMessageHistory_Ajax.php
@@ -21,6 +21,10 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);

 $arrayToTranslation = array(
    "TRIGGER"    => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;

 if ($actionAjax == 'messageHistoryGridList_JXP') {

-    if (!isset($_REQUEST['start'])) {
+    if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
        $_REQUEST['start'] = 0;
    }

-    if (!isset($_REQUEST['limit'])) {
+    if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
        $_REQUEST['limit'] = 20;
    }

--- a/workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php
+++ b/workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php
@@ -22,6 +22,13 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION); 
+
 $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;

 if ($actionAjax == "historyDynaformPage") {
--- a/workflow/engine/methods/cases/casesListExtJs.php
+++ b/workflow/engine/methods/cases/casesListExtJs.php
@@ -213,7 +213,6 @@ $menuPerms = $menuPerms . ($RBAC->userCanAccess( 'PM_REASSIGNCASE' ) == 1) ? 'R'
 $oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions
 G::LoadClass( 'configuration' );
 $c = new Configurations();
-
 //$oHeadPublisher->addExtJsScript('cases/caseUtils', true);
 $oHeadPublisher->addExtJsScript( 'app/main', true );
 $oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js
--- a/workflow/engine/methods/cases/casesList_Ajax.php
+++ b/workflow/engine/methods/cases/casesList_Ajax.php
@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
 require_once ("classes/model/AppDelay.php");*/
 G::LoadClass( 'case' );

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION); 
+
 $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;

 function filterUserListArray($users = array(), $filter = '')
--- a/workflow/engine/methods/cases/casesStartPage_Ajax.php
+++ b/workflow/engine/methods/cases/casesStartPage_Ajax.php
@@ -1,4 +1,9 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (!isset($_SESSION['USER_LOGGED'])) {
    $res = new stdclass();
    $res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
 function startCase ()
 {
    G::LoadClass( 'case' );
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    $_SESSION = $filter->xssFilterHard($_SESSION);

    /* GET , POST & $_SESSION Vars */
    /* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
        lookinginforContentProcess( $_POST['processId'] );

        $aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
+        $aData = $filter->xssFilterHard($aData);

        $_SESSION['APPLICATION'] = $aData['APPLICATION'];
        $_SESSION['INDEX'] = $aData['INDEX'];
--- a/workflow/engine/methods/cases/cases_Ajax.php
+++ b/workflow/engine/methods/cases/cases_Ajax.php
@@ -1,4 +1,11 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (!isset($_SESSION['USER_LOGGED'])) {
    $response = new stdclass();
    $response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
        G::RenderPage( 'publish', 'raw' );
        break;
    case 'showUsers':
+        $_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
        switch ($_POST['TAS_ASSIGN_TYPE']) {
            // switch verify $_POST['TAS_ASSIGN_TYPE']
            case 'BALANCED':
+                $_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
                G::LoadClass( 'user' );
                $oUser = new User( new DBConnection() );
                $oUser->load( $_POST['USR_UID'] );
+                $oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
+                $oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
                echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
                break;
            case 'MANUAL':
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
                echo $sAux;
                break;
            case 'EVALUATE':
+                $_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
+                $_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
                G::LoadClass( 'application' );
                $oApplication = new Application( new DBConnection() );
                $oApplication->load( $_SESSION['APPLICATION'] );
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
                    $oUser->load( $sUser );
                    echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
                } else {
-                    echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' );
+                    $ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
+                    echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
                    echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
                }
                break;
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
        $cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
        break;
    case 'toRevisePanel':
+        $_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
+        $_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
+
        $_GET['APP_UID'] = $_POST['APP_UID'];
        $_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
        $G_PUBLISH = new Publisher();
--- a/workflow/engine/methods/cases/cases_StepToRevise.php
+++ b/workflow/engine/methods/cases/cases_StepToRevise.php
@@ -23,6 +23,9 @@
 */
 //  die("first");
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
    case - 2:
        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
        die();
        break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 if ((int) $_SESSION['INDEX'] < 1) {
+    $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
    G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
    G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
    die();
--- a/workflow/engine/methods/cases/cases_StepToReviseInputs.php
+++ b/workflow/engine/methods/cases/cases_StepToReviseInputs.php
@@ -23,6 +23,9 @@
 */
 //die("second");
 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
    case - 2:
        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
        die();
        break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 if ((int) $_SESSION['INDEX'] < 1) {
+    $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
    G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
    G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
    die();
--- a/workflow/engine/methods/cases/cases_StepToReviseOutputs.php
+++ b/workflow/engine/methods/cases/cases_StepToReviseOutputs.php
@@ -23,6 +23,9 @@
 */

 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
    case - 2:
        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
        die();
        break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 /* Includes */
 G::LoadClass( 'case' );

--- a/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
+++ b/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
@@ -23,6 +23,9 @@
 */

 /* Permissions */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
 switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
    case - 2:
        G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
        die();
        break;
 }
-
+$_SESSION = $filter->xssFilterHard($_SESSION,"url");
 /* Includes */
 G::LoadClass( 'case' );

--- a/workflow/engine/methods/cases/cases_generatePMTable.php
+++ b/workflow/engine/methods/cases/cases_generatePMTable.php
@@ -4,6 +4,9 @@
 * and open the template in the editor.
 */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 require_once ("classes/model/AdditionalTables.php");
 require_once ("classes/model/Fields.php");
 // passing the parameters
--- a/workflow/engine/methods/cases/proxyPMTablesFieldList.php
+++ b/workflow/engine/methods/cases/proxyPMTablesFieldList.php
@@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid)
    $oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
    $oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
    $oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
+    $oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
    $oCriteria->addDescendingOrderByColumn('FLD_INDEX');
    $oDataset = FieldsPeer::doSelectRS($oCriteria);
    $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
--- a/workflow/engine/methods/controls/varsAjax.php
+++ b/workflow/engine/methods/controls/varsAjax.php
@@ -22,11 +22,19 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 *
 */
+ 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+ 
 $_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:'';
 $_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:'';
 $_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:'';
 $_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:'';

+$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]);
+
 $html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">';
 $html .= '<div id="d_variables">';
 $html .= '<table width="90%" align="center">';
@@ -40,24 +48,24 @@ $html .= '</tr>';

 $html .= '<tr>';
 $html .= '<td width="50%">';
-$html .= '<label for="type_label">'.G::LoadTranslation('ID_TINY_TYPE_VARIABLE').'</label>';
+$html .= '<label for="type_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_TINY_TYPE_VARIABLE')).'</label>';
 $html .= '</td>';

 $html .= '<td width="25%">';
-$html .= '<label for="prefix_label">'.G::LoadTranslation('ID_PREFIX').'</label>';
+$html .= '<label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_PREFIX')).'</label>';
 $html .= '</td>';

 $html .= '<td width="25%">';
-$html .= '<label for="variables_label">'.G::LoadTranslation( 'ID_SEARCH').'</label>';
+$html .= '<label for="variables_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_SEARCH')).'</label>';
 $html .= '</td>';
 $html .= '</tr>';

 $html .= '<tr>';
 $html .= '<td width="25%">';
 $html .= '<select name="type_variables" id="type_variables">';
-$html .= '<option value="all">'.G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' ).'</option>';
-$html .= '<option value="system">'.G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' ).'</option>';
-$html .= '<option value="process">'.G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' ).'</option>';
+$html .= '<option value="all">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' )).'</option>';
+$html .= '<option value="system">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' )).'</option>';
+$html .= '<option value="process">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' )).'</option>';
 $html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;';
 $html .= '</td>';

@@ -79,7 +87,7 @@ $html .= '<input type="text" id="search" size="15">';
 $html .= '</td>';
 $html .= '</tr>';
 $html .= '<tr>';
-$html .= '<tr><td><label for="prefix_label">'.G::LoadTranslation( 'ID_VARIABLES' ).'</label></td></tr>';
+$html .= '<tr><td><label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_VARIABLES' )).'</label></td></tr>';
 $html .= '<tr>';

 $html .= '<td colspan="3">';
@@ -114,19 +122,19 @@ $html .= '</div>';
 $html .= '<br>';
 $html .= '<table border="1" width="90%" align="center">';
 $html .= '<tr width="40%">';
-$html .= '<td>'.G::LoadTranslation('ID_RESULT').'</td>';
+$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'</td>';
 $html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>';
 $html .= '</tr>';
 $html .= '<tr width="60%">';
-$html .= '<td>'.G::LoadTranslation('ID_DESCRIPTION').'</td>';
-$html .= '<td><span id="desc_variables">'.G::LoadTranslation('ID_SYSTEM').'</span></td>';
+$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).'</td>';
+$html .= '<td><span id="desc_variables">'.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'</span></td>';
 $html .= '</tr>';
 $html .= '</table>';
 $html .= '</div>';
 $html .= '<br>';
 $html .= '<table width="90%" align="center">';
 $html .= '<tr><td>';
-$html .= '<label for="desc_prefix">*<span id="desc_prefix">' . G::LoadTranslation( 'ID_TO_STRING' ) . '</span></label>';
+$html .= '<label for="desc_prefix">*<span id="desc_prefix">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TO_STRING' )).'</span></label>';
 $html .= '</td></tr>';
 $html .= '</div>';

--- a/workflow/engine/methods/dbConnections/dbConnectionsAjax.php
+++ b/workflow/engine/methods/dbConnections/dbConnectionsAjax.php
@@ -30,6 +30,11 @@
 * @Param  var action from POST request
 */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
+
 if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
    $action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
 } else {
--- a/workflow/engine/methods/departments/departments_Ajax.php
+++ b/workflow/engine/methods/departments/departments_Ajax.php
@@ -23,6 +23,11 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 function LookForChildren ($parent, $level, $aDepUsers)
 {
    G::LoadClass( 'configuration' );
--- a/workflow/engine/methods/dynaforms/dynaforms_Editor.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_Editor.php
@@ -21,6 +21,12 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+ 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
+ 
 if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) {
    return $RBAC_Response;
 }
@@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes';
 $G_ID_MENU_SELECTED = 'PROCESSES';
 $G_ID_SUB_MENU_SELECTED = 'FIELDS';

+$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']);
+$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']);
+
 $PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0';
 $DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0';
 $_SESSION['PROCESS'] = $_GET['PRO_UID'];
@@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) {
    $process->load( $PRO_UID );
 } else {
    //TODO
+    $PRO_UID = $filter->xssFilterHard($PRO_UID);
    print ("$PRO_UID doesn't exist, continue? yes") ;
 }

--- a/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
+++ b/workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
@@ -28,6 +28,10 @@
 * also the functionality of dependent fields in grids doesn't depends in this
 * file so this is somewhat expendable.
 */
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+
 function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
 {
    $myDependentFields = '';
--- a/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
+++ b/workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
@@ -25,6 +25,9 @@
  * @Date Aug 26th, 2009
  */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
 $request = $_POST['request'];

 switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
        if (isset( $_POST['items'] )) {
            $items = $_POST['items'];
            $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+            $tmpfilename = $filter->xssFilterHard($tmpfilename);
            G::LoadSystem( 'dynaformhandler' );

            $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
        break;
    case 'saveHidden':
        $tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
+        $tmpfilename = $filter->xssFilterHard($tmpfilename);
        G::LoadSystem( 'dynaformhandler' );
        $o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
        $hidden_items = Array ();
--- a/workflow/engine/methods/dynaforms/test.php
+++ b/workflow/engine/methods/dynaforms/test.php
@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
 	</select> <input type="submit" value="Send" />
 </form>
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 $test = $_POST['form']['test'];
 if ($test) {
+    $test = $filter->xssFilterHard($test);
    foreach ($test as $t) {
        echo 'You selected ', $t, '<br />';
    }
--- a/workflow/engine/methods/outputdocs/outputdocs_Ajax.php
+++ b/workflow/engine/methods/outputdocs/outputdocs_Ajax.php
@@ -1,4 +1,7 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);

 $action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :'';

@@ -9,6 +12,7 @@ if ($action == '') {

 switch ($action) {
    case 'setTemplateFile':
+        $_FILES = $filter->xssFilterHard($_FILES);
        //print_r($_FILES);
        $_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name'];
        //    file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name']));
@@ -21,6 +25,7 @@ switch ($action) {
        break;

    case 'getTemplateFile':
+        $_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']);
        $aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp"
        );
        $sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] );
@@ -28,11 +33,15 @@ switch ($action) {
        $searchPos = strpos( $strRev, '.' );
        $pos = (strlen( $sFileName ) - 1) - $searchPos;
        $sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) );
-        if (! in_array( $sExtension, $aExtensions ))
-            echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
+        if (! in_array( $sExtension, $aExtensions )) {
+            $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
+            $content = $filter->xssFilterHard($content);
+            echo $content;
+        }
        break;

    case 'loadTemplateContent':
+        $_POST = $filter->xssFilterHard($_POST);
        require_once 'classes/model/OutputDocument.php';
        $ooutputDocument = new OutputDocument();
        if (isset( $_POST['OUT_DOC_UID'] )) {
@@ -43,6 +52,7 @@ switch ($action) {
        break;

    case 'lookForNameOutput':
+        $_POST = $filter->xssFilterHard($_POST);
        require_once ('classes/model/Content.php');
        require_once ("classes/model/OutputDocument.php");

--- a/workflow/engine/methods/processes/processes_Ajax.php
+++ b/workflow/engine/methods/processes/processes_Ajax.php
@@ -39,6 +39,13 @@ try {
      } */
    //$oJSON = new Services_JSON();
    
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    //$_SESSION = $filter->xssFilterHard($_SESSION); 
+
    if (isset($_REQUEST['data'])) {
        if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") {
            $oData = Bootstrap::json_decode($_REQUEST['data']);
@@ -741,6 +748,8 @@ try {
            // G::RenderPage( 'publish', 'blank' );
            break;
        case 'saveFile':
+            $_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']);
+            $_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
            global $G_PUBLISH;
            $G_PUBLISH = new Publisher();
            global $RBAC;
@@ -754,6 +763,7 @@ try {

                $sDir = "";
                if (isset($_REQUEST['MAIN_DIRECTORY'])) {
+                    $_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
                    $sDir = $_REQUEST['MAIN_DIRECTORY'];
                }
                switch ($sDir) {
@@ -775,6 +785,7 @@ try {
                $content = base64_decode($content);
                fwrite($fp, $content);
                fclose($fp);
+                $sDirectory = $filter->xssFilterHard($sDirectory);
                echo 'saved: ' . $sDirectory;
            }
            break;
@@ -830,8 +841,10 @@ try {
            *
            */
        case 'getVariablePrefix':
+            $_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']);
            $_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING';
-            echo G::LoadTranslation($_REQUEST['prefix']);
+            $prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix']));
+            echo G::LoadTranslation($prefix);
            break;
            /**
            * return an array with all Variables of Grid type
--- a/workflow/engine/methods/roles/data_rolesList.php
+++ b/workflow/engine/methods/roles/data_rolesList.php
@@ -24,6 +24,9 @@

 require_once (PATH_RBAC . "model/RolesPeer.php");
 G::LoadClass( 'ArrayPeer' );
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);

 isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';

--- a/workflow/engine/methods/roles/data_rolesPermissions.php
+++ b/workflow/engine/methods/roles/data_rolesPermissions.php
@@ -22,6 +22,10 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
 $ROL_UID = $_GET['rUID'];
 $TYPE_DATA = $_GET["type"];

--- a/workflow/engine/methods/services/Rest/CURLMessage.php
+++ b/workflow/engine/methods/services/Rest/CURLMessage.php
@@ -122,7 +122,10 @@ abstract class CURLMessage
     */
    public function displayResponse ()
    {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
        $error = curl_error( $this->ch );
+        $error = $filter->xssFilterHard($error);
        $result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
        );
        if ($error != "") {
@@ -130,12 +133,15 @@ abstract class CURLMessage
            return $result;
        }
        $response = $this->output;
+        $response = $filter->xssFilterHard($response);
        $header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
        $result['header'] = substr( $response, 0, $header_size );
        $result['body'] = substr( $response, $header_size );
        $result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
        $result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
+        $result = $filter->xssFilterHard($result);

+        $this->type = $filter->xssFilterHard($this->type);
        echo $this->type . " Response: " . $response . "<BR>";
        foreach ($result as $index => $data) {
            if ($data != "") {
--- a/workflow/engine/methods/services/demoSoap.php
+++ b/workflow/engine/methods/services/demoSoap.php
@@ -61,12 +61,17 @@ a.krumo-name {
 </style>
 <?php

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
 if (isset( $_POST["epr"] )) {
    $_SESSION['END_POINT'] = $_POST["epr"];
 }
 $endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
-
+$endpoint = $filter->xssFilterHard($endpoint);
 $sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
+$sessionId = $filter->xssFilterHard($sessionId);
 ?>
 <form method="post" action="">

--- a/workflow/engine/methods/services/login_getStarted.php
+++ b/workflow/engine/methods/services/login_getStarted.php
@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
 $oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
 */
 $userName = 'admin';
-$userPass = 'The password introduced at the time of installing the application';
+$userPass = 'The password introduced at the time of installing the application (admin: if you do not put or changed the password)';
 if(isset($_SESSION['NW_PASSWORD'])){
  if($_SESSION['NW_PASSWORD'] != ''){
    $userPass = $_SESSION['NW_PASSWORD'];
--- a/workflow/engine/methods/setup/appCacheViewAjax.php
+++ b/workflow/engine/methods/setup/appCacheViewAjax.php
@@ -1,6 +1,9 @@
 <?php
 require_once ('classes/model/AppCacheView.php');
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_GET = $filter->xssFilterHard($_GET);
 $request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);

 function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")
--- a/workflow/engine/methods/setup/emails_Ajax.php
+++ b/workflow/engine/methods/setup/emails_Ajax.php
@@ -22,6 +22,13 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+if(isset($_SERVER['SERVER_NAME'])) {
+$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']); 
+}
+
 global $RBAC;
 $RBAC->requirePermissions( 'PM_SETUP_ADVANCE' );

--- a/workflow/engine/methods/setup/language_Ajax.php
+++ b/workflow/engine/methods/setup/language_Ajax.php
@@ -23,11 +23,16 @@
 */
 try {

+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    
    G::LoadInclude( 'ajax' );
    if (isset( $_POST['form'] )) {
        $_POST = $_POST['form'];
    }
    $_POST['function'] = get_ajax_value( 'function' );
+    $_POST['function'] = $filter->xssFilterHard($_POST['function']);
    switch ($_POST['function']) {
        case 'savePredetermined':
            require_once "classes/model/Translation.php";
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -1,4 +1,8 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+
 if (! isset( $_REQUEST['action'] )) {
    $res['success'] = false;
    $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
 function deleteSkin ()
 {
    try {
+        G::LoadSystem('inputfilter');
+        $filter = new InputFilter();
+        $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
+    
        if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
            throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
        }
--- a/workflow/engine/methods/setup/webServicesAjax.php
+++ b/workflow/engine/methods/setup/webServicesAjax.php
@@ -23,6 +23,10 @@
 */
 ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache

+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET);
+//$_SESSION = $filter->xssFilterHard($_SESSION); 

 G::LoadClass( 'ArrayPeer' );
 if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) {
@@ -38,6 +42,8 @@ if ($_POST['action'] == '') {
    $_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : '';
 }

+$_POST = $filter->xssFilterHard($_POST);
+
 switch ($_POST['action']) {
    case 'showForm':
        global $G_PUBLISH;
@@ -1504,7 +1510,7 @@ try {
                die();
                break;
            default:
-
+                $_POST = $filter->xssFilterHard($_POST);
                print_r( $_POST );
        }
    }
--- a/workflow/engine/methods/tracker/tracker_Ajax.php
+++ b/workflow/engine/methods/tracker/tracker_Ajax.php
@@ -22,6 +22,10 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 try {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    
    if (isset( $_POST['form']['action'] )) {
        $_POST['action'] = $_POST['form']['action'];
    }
--- a/workflow/engine/methods/users/usersAjax.php
+++ b/workflow/engine/methods/users/usersAjax.php
@@ -1,4 +1,13 @@
 <?php
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+if(isset($_SESSION['USER_LOGGED'])) { 
+    $_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']); 
+}
+if(isset($_SESSION['USR_USERNAME'])) { 
+$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
+}

 global $RBAC;
 $result = new StdClass();
--- a/workflow/engine/methods/users/users_Ajax.php
+++ b/workflow/engine/methods/users/users_Ajax.php
@@ -23,6 +23,12 @@
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
 try {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
+    $_GET = $filter->xssFilterHard($_GET);
+    $_POST = $filter->xssFilterHard($_POST);
+    $_REQUEST = $filter->xssFilterHard($_REQUEST);
+    
    global $RBAC;
    switch ($RBAC->userCanAccess('PM_LOGIN')) {
        case - 2:
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Lists.php
@@ -176,6 +176,7 @@ class Lists {
            $filtersData['date_to']     = $filters["dateTo"];
            $response['filters']        = $filtersData;
            $response['data']           = $result;
+            $filtersData['action']      = $filters["action"];
            $response['totalCount']     = $list->countTotal($userUid, $filtersData);
        } else {
            $response = $result;
--- a/workflow/engine/templates/appFolder/appFolderTree.php
+++ b/workflow/engine/templates/appFolder/appFolderTree.php
@@ -56,7 +56,9 @@ $html = '
     }
 return 'Unknown';
 }
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_SERVER['HTTP_USER_AGENT'] = $filter->xssFilterHard($_SERVER['HTTP_USER_AGENT']);
 if((looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 8')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 7')||(looking_for_browser($_SERVER['HTTP_USER_AGENT'])=='Internet Explorer 6')){
    $html.="
        <div class='content' style='width:360px;height: expression( this.scrollHeight > 319 ? \'320px\' : \'auto\' ); /* sets max-height for IE */  max-height: 320px; /* sets max-height value for all standards-compliant browsers */  overflow:hidden;'>
--- a/workflow/engine/templates/cases/cases_Load.php
+++ b/workflow/engine/templates/cases/cases_Load.php
@@ -1,3 +1,8 @@
+<?php 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST['qs'] = $filter->xssFilterHard($_POST['qs']);
+?>
 <html>
  <style type="text/css">
   .Footer .content {
--- a/workflow/engine/templates/groups/groups_Tree.php
+++ b/workflow/engine/templates/groups/groups_Tree.php
@@ -29,6 +29,8 @@

  $WIDTH_PANEL = 350;

+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
  G::LoadClass('groups');

  $groups = new Groups();
@@ -47,6 +49,17 @@
    $UID         = htmlentities($group->getGrpUid());
    //$GROUP_TITLE = htmlentities($group->getGrpTitle());
    $GROUP_TITLE = strip_tags($group->getGrpTitle());
+    $ID_NEW         = G::LoadTranslation('ID_NEW');
+    $ID_GROUPS      = G::loadTranslation("ID_GROUPS");
+
+    $ID_EDIT     = $filter->xssFilterHard($ID_EDIT);
+    $ID_MEMBERS  = $filter->xssFilterHard($ID_MEMBERS);
+    $ID_DELETE   = $filter->xssFilterHard($ID_DELETE);
+    $UID         = $filter->xssFilterHard($UID);
+    $GROUP_TITLE = $filter->xssFilterHard($GROUP_TITLE);
+    $ID_NEW      = $filter->xssFilterHard($ID_NEW);
+    $ID_GROUPS   = $filter->xssFilterHard($ID_GROUPS);
+
    $htmlGroup   .="
        <tr id=\"{$xVar}\" onclick=\"focusRow(this, 'Selected')\" onmouseout=\"setRowClass(this, '{$RowClass}')\" onmouseover=\"setRowClass(this, 'RowPointer' )\" class=\"{$RowClass}\">
          <td><img src=\"/images/users.png\" border=\"0\" width=\"20\" height=\"20\"/></td>
@@ -68,13 +81,13 @@
 					<div class="boxContentBlue">
 					  <table width="95%" style="margin:0px;" cellspacing="0" cellpadding="0">
 					    <tr>
-						  <td class="userGroupTitle">'.G::loadTranslation("ID_GROUPS").'</td>
+						  <td class="userGroupTitle">'.$ID_GROUPS.'</td>
 						</tr>
 					  </table>
 					</div>
 					<div class="boxBottomBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
 					
-				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.G::LoadTranslation('ID_NEW').'</a></div>
+				  	<div class="userGroupLink"><a href="#" onclick="addGroup();return false;">'.$ID_NEW.'</a></div>
 				  	
 				  	<div id="groupsListDiv" style="height:350px; width:'.($WIDTH_PANEL-20).'px; overflow:auto">
 				  	  <table class="pagedTableDefault"><tr><td>' 
--- a/workflow/engine/templates/oauth2/authorize.php
+++ b/workflow/engine/templates/oauth2/authorize.php
@@ -1,6 +1,9 @@
 <?php
 require_once PATH_CORE . 'src/ProcessMaker/Services/OAuth2/PmPdo.php';
-
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET = $filter->xssFilterHard($_GET,"url");
+$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"],"url");

 list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
 $port = empty($port) ? '' : ";port=$port";
@@ -34,7 +37,7 @@ $response = array(
    'supportedScope' => $this->scope,
    'requestedScope' => $requestedScope
 );
-
+$response = $filter->xssFilterHard($response,"url");
 ?>

 <table width="100%" cellspacing="0" cellpadding="0" border="0">
--- a/workflow/engine/xmlform/dynaforms/dynaforms_WebEntry.xml
+++ b/workflow/engine/xmlform/dynaforms/dynaforms_WebEntry.xml
@@ -171,7 +171,7 @@ var webEntry_generate = function(PRO_UID, TASKS, DYNAFORM) {
  	if(getField('WE_TYPE').value=='SINGLE')
     { oPanel1 = new leimnud.module.panel();
       oPanel1.options = {
-       	size	:{w:600,h:400},
+       	size	:{w:500,h:390},
       	position:{x:0,y:0,center:true},
       	title	:"Web Entry",
       	statusBar:true,