diff --git a/workflow/engine/classes/model/AdditionalTables.php b/workflow/engine/classes/model/AdditionalTables.php index 9c52cc061..da3ffe8e1 100755 --- a/workflow/engine/classes/model/AdditionalTables.php +++ b/workflow/engine/classes/model/AdditionalTables.php @@ -446,11 +446,11 @@ class AdditionalTables extends BaseAdditionalTables eval('$count = ' . $sClassPeerName . '::doCount($oCriteria);'); } G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $sort = $filter->validateInput($_POST['sort']); + $filter = new InputFilter(); $sClassPeerName = $filter->validateInput($sClassPeerName); if (isset($_POST['sort'])) { + $_POST['sort'] = $filter->validateInput($_POST['sort']); if ($_POST['dir'] == 'ASC') { if ($keyOrderUppercase) { eval('$oCriteria->addAscendingOrderByColumn("' . $sort . '");'); diff --git a/workflow/engine/methods/cases/caseMessageHistory_Ajax.php b/workflow/engine/methods/cases/caseMessageHistory_Ajax.php index c1a2b056a..9c360f572 100755 --- a/workflow/engine/methods/cases/caseMessageHistory_Ajax.php +++ b/workflow/engine/methods/cases/caseMessageHistory_Ajax.php @@ -21,6 +21,10 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); +$_REQUEST = $filter->xssFilterHard($_REQUEST); $arrayToTranslation = array( "TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"), @@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null; if ($actionAjax == 'messageHistoryGridList_JXP') { - if (!isset($_REQUEST['start'])) { + if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') { $_REQUEST['start'] = 0; } - if (!isset($_REQUEST['limit'])) { + if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') { $_REQUEST['limit'] = 20; } diff --git a/workflow/engine/methods/cases/cases_StepToRevise.php b/workflow/engine/methods/cases/cases_StepToRevise.php index a8a83c7cb..d693fae4c 100755 --- a/workflow/engine/methods/cases/cases_StepToRevise.php +++ b/workflow/engine/methods/cases/cases_StepToRevise.php @@ -23,6 +23,9 @@ */ // die("first"); /* Permissions */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET,"url"); switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { case - 2: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); @@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { die(); break; } - +$_SESSION = $filter->xssFilterHard($_SESSION,"url"); if ((int) $_SESSION['INDEX'] < 1) { + $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::header( 'location: ' . $_SERVER['HTTP_REFERER'] ); die(); diff --git a/workflow/engine/methods/cases/cases_StepToReviseInputs.php b/workflow/engine/methods/cases/cases_StepToReviseInputs.php index ce57d6c71..b4999f81e 100755 --- a/workflow/engine/methods/cases/cases_StepToReviseInputs.php +++ b/workflow/engine/methods/cases/cases_StepToReviseInputs.php @@ -23,6 +23,9 @@ */ //die("second"); /* Permissions */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET,"url"); switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { case - 2: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); @@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { die(); break; } - +$_SESSION = $filter->xssFilterHard($_SESSION,"url"); if ((int) $_SESSION['INDEX'] < 1) { + $_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::header( 'location: ' . $_SERVER['HTTP_REFERER'] ); die(); diff --git a/workflow/engine/methods/cases/cases_StepToReviseOutputs.php b/workflow/engine/methods/cases/cases_StepToReviseOutputs.php index 9cd6dc6b1..976b75dc5 100755 --- a/workflow/engine/methods/cases/cases_StepToReviseOutputs.php +++ b/workflow/engine/methods/cases/cases_StepToReviseOutputs.php @@ -23,6 +23,9 @@ */ /* Permissions */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET,"url"); switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { case - 2: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); @@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { die(); break; } - +$_SESSION = $filter->xssFilterHard($_SESSION,"url"); /* Includes */ G::LoadClass( 'case' ); diff --git a/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php b/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php index f2891830f..351d778d9 100755 --- a/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php +++ b/workflow/engine/methods/cases/cases_ToReviseOutputDocView.php @@ -23,6 +23,9 @@ */ /* Permissions */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_GET = $filter->xssFilterHard($_GET,"url"); switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { case - 2: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); @@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) { die(); break; } - +$_SESSION = $filter->xssFilterHard($_SESSION,"url"); /* Includes */ G::LoadClass( 'case' ); diff --git a/workflow/engine/methods/cases/cases_generatePMTable.php b/workflow/engine/methods/cases/cases_generatePMTable.php index 0080ac771..9ced6f1ba 100755 --- a/workflow/engine/methods/cases/cases_generatePMTable.php +++ b/workflow/engine/methods/cases/cases_generatePMTable.php @@ -4,6 +4,9 @@ * and open the template in the editor. */ +G::LoadSystem('inputfilter'); +$filter = new InputFilter(); +$_POST = $filter->xssFilterHard($_POST); require_once ("classes/model/AdditionalTables.php"); require_once ("classes/model/Fields.php"); // passing the parameters diff --git a/workflow/engine/templates/cases/cases_Load.php b/workflow/engine/templates/cases/cases_Load.php index 94f70a56f..c0fbc3bc6 100755 --- a/workflow/engine/templates/cases/cases_Load.php +++ b/workflow/engine/templates/cases/cases_Load.php @@ -1,3 +1,8 @@ +xssFilterHard($_POST['qs']); +?>