fernando/luos
1
0
Fork 0
Code Releases Activity

Merged in norah/processmaker/PM-1114 (pull request #1288)

Browse Source 
PM-1114 RW-152-6 Reflected Cross Site Scripting
This commit is contained in:
Julio Cesar Laura Avendaño
2014-12-19 10:03:02 -04:00
parent 4f5e0ab23e 52413128bb
commit 8b502aca90
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
workflow/engine/methods/login/login.php
View File

@@ -36,7 +36,7 @@ $aFields = array();
if (!isset($_GET['u'])) { if (!isset($_GET['u'])) {
$aFields['URL'] = ''; $aFields['URL'] = '';
} else { } else {
$aFields['URL'] = urldecode(htmlentities($_GET['u'])); $aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
} }
if (!isset($_SESSION['G_MESSAGE'])) { if (!isset($_SESSION['G_MESSAGE'])) {

2
workflow/engine/methods/login/retrivePassword.php
View File

@@ -8,7 +8,7 @@ G::LoadClass("system");
$rbacUser = new RbacUsers(); $rbacUser = new RbacUsers();
$user = new Users(); $user = new Users();
$data['USR_USERNAME'] = strip_tags($data['USR_USERNAME']);
$userData = $rbacUser->getByUsername($data['USR_USERNAME']); $userData = $rbacUser->getByUsername($data['USR_USERNAME']);
if ($userData['USR_EMAIL'] != '' && $userData['USR_EMAIL'] === $data['USR_EMAIL'] && ($userData['USR_AUTH_TYPE'] === '' || $userData['USR_AUTH_TYPE'] == 'MYSQL') ) { if ($userData['USR_EMAIL'] != '' && $userData['USR_EMAIL'] === $data['USR_EMAIL'] && ($userData['USR_AUTH_TYPE'] === '' || $userData['USR_AUTH_TYPE'] == 'MYSQL') ) {