diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php
index dbe90bdb0..f4f849bbe 100755
--- a/gulliver/system/class.dbMaintenance.php
+++ b/gulliver/system/class.dbMaintenance.php
@@ -305,8 +305,12 @@ class DataBaseMaintenance
function backupData ()
{
$aTables = $this->getTablesList();
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $aTables = $filter->xssFilterHard($aTables);
foreach ($aTables as $table) {
if ($this->dumpData( $table ) !== false) {
+ $this->outfile = $filter->xssFilterHard($this->outfile);
printf( "%20s %s %s\n", 'Dump of table:', $table, " in file {$this->outfile}" );
} else {
return false;
@@ -343,6 +347,11 @@ class DataBaseMaintenance
{
$aTables = $this->getTablesList();
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $aTables = $filter->xssFilterHard($aTables);
+ $this->tmpDir = $filter->xssFilterHard($this->tmpDir);
+ $this->infile = $filter->xssFilterHard($this->infile);
foreach ($aTables as $table) {
if (isset( $type ) && $type == 'sql') {
@@ -467,6 +476,7 @@ class DataBaseMaintenance
G::LoadSystem('inputfilter');
$filter = new InputFilter();
+ $table = $filter->xssFilterHard($table);
$table = $filter->validateInput($table, 'nosql');
$bytesSaved = 0;
$query = "SELECT * FROM `%s`";
@@ -492,6 +502,7 @@ class DataBaseMaintenance
$data .= ");\n";
}
+ $data = $filter->xssFilterHard($data);
printf( "%-59s%20s", "Dump of table $table", strlen( $data ) . " Bytes Saved\n" );
return $data;
}
diff --git a/gulliver/system/class.pagedTable.php b/gulliver/system/class.pagedTable.php
index 54a0a866b..9439bbcfe 100755
--- a/gulliver/system/class.pagedTable.php
+++ b/gulliver/system/class.pagedTable.php
@@ -778,6 +778,13 @@ class pagedTable
*/
public function renderTable ($block = '')
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $this->orderBy = $filter->xssFilterHard($this->orderBy);
+ $this->currentPage = $filter->xssFilterHard($this->currentPage);
+ $this->id = $filter->xssFilterHard($this->id);
+ $this->name = $filter->xssFilterHard($this->name);
+ $this->ownerPage = $filter->xssFilterHard($this->ownerPage);
// DBConnection
$this->prepareQuery();
//Query for get the number of rows
@@ -797,6 +804,9 @@ class pagedTable
$this->tpl->assign( 'pagedTable_Id', $this->id );
$this->tpl->assign( 'pagedTable_Name', $this->name );
$this->tpl->assign( 'pagedTable_Height', $this->xmlForm->height );
+ $this->xmlForm->home = $filter->xssFilterHard($this->xmlForm->home);
+ $this->filterForm = $filter->xssFilterHard($this->filterForm);
+ $this->menu = $filter->xssFilterHard($this->menu);
if (file_exists( $this->xmlForm->home . $this->filterForm . '.xml' )) {
$filterForm = new filterForm( $this->filterForm, $this->xmlForm->home );
if ($this->menu === '') {
@@ -893,10 +903,14 @@ class pagedTable
$this->tpl->assign( 'rowId', 'insertAtLast' );
if ($this->currentPage > 1) {
$firstUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=1';
+ $firstUrl = $filter->xssFilterHard($firstUrl);
$firstAjax = $this->id . ".doGoToPage(1);return false;";
+ $firstAjax = $filter->xssFilterHard($firstAjax);
$prevpage = $this->currentPage - 1;
$prevUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $prevpage;
+ $prevUrl = $filter->xssFilterHard($prevUrl);
$prevAjax = $this->id . ".doGoToPage(" . $prevpage . ");return false;";
+ $prevAjax = $filter->xssFilterHard($prevAjax);
$first = " ";
$prev = " ";
} else {
@@ -905,10 +919,14 @@ class pagedTable
}
if ($this->currentPage < $this->totpages) {
$lastUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $this->totpages;
+ $lastUrl = $filter->xssFilterHard($lastUrl);
$lastAjax = $this->id . ".doGoToPage(" . $this->totpages . ");return false;";
+ $lastAjax = $filter->xssFilterHard($lastAjax);
$nextpage = $this->currentPage + 1;
$nextUrl = $this->ownerPage . '?order=' . $this->orderBy . '&page=' . $nextpage;
+ $nextUrl = $filter->xssFilterHard($nextUrl);
$nextAjax = $this->id . ".doGoToPage(" . $nextpage . ");return false;";
+ $nextAjax = $filter->xssFilterHard($nextAjax);
$next = " ";
$last = " ";
} else {
@@ -919,7 +937,8 @@ class pagedTable
for ($r = 1; $r <= $this->totpages; $r ++) {
if (($r >= ($this->currentPage - 5)) && ($r <= ($this->currentPage + 5))) {
$pageAjax = $this->id . ".doGoToPage(" . $r . ");return false;";
- if ($r != $this->currentPage) {
+ if ($r != $this->currentPage) {
+ $pageAjax = $filter->xssFilterHard($pageAjax);
$pagesEnum .= " ownerPage . '?order=' . $this->orderBy . '&page=' . $r, ENT_QUOTES, 'utf-8' ) . "\" onclick=\"" . $pageAjax . "\">" . $r . "";
} else {
$pagesEnum .= " " . $r . "";
diff --git a/workflow/engine/bin/tasks/cliWorkspaces.php b/workflow/engine/bin/tasks/cliWorkspaces.php
index 81958296f..3c4c0e8e6 100755
--- a/workflow/engine/bin/tasks/cliWorkspaces.php
+++ b/workflow/engine/bin/tasks/cliWorkspaces.php
@@ -228,6 +228,10 @@ function run_info($args, $opts) {
}
function run_workspace_upgrade($args, $opts) {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $opts = $filter->xssFilterHard($opts);
+ $args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$first = true;
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
@@ -242,6 +246,10 @@ function run_workspace_upgrade($args, $opts) {
}
function run_translation_upgrade($args, $opts) {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $opts = $filter->xssFilterHard($opts);
+ $args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$first = true;
foreach ($workspaces as $workspace) {
@@ -256,6 +264,10 @@ function run_translation_upgrade($args, $opts) {
}
function run_cacheview_upgrade($args, $opts) {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $opts = $filter->xssFilterHard($opts);
+ $args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$lang = array_key_exists("lang", $opts) ? $opts['lang'] : 'en';
foreach ($workspaces as $workspace) {
@@ -304,6 +316,10 @@ function run_migrate_new_cases_lists($args, $opts) {
}
function database_upgrade($command, $args) {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $command = $filter->xssFilterHard($command);
+ $args = $filter->xssFilterHard($args);
$workspaces = get_workspaces_from_args($args);
$checkOnly = (strcmp($command, "check") == 0);
foreach ($workspaces as $workspace) {
@@ -587,6 +603,10 @@ function runStructureDirectories($command, $args) {
function run_database_generate_self_service_by_value($args, $opts)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $opts = $filter->xssFilterHard($opts);
+ $args = $filter->xssFilterHard($args);
try {
$arrayWorkspace = get_workspaces_from_args($args);
diff --git a/workflow/engine/classes/class.webdav.php b/workflow/engine/classes/class.webdav.php
index f6ae9a789..bc56cca59 100755
--- a/workflow/engine/classes/class.webdav.php
+++ b/workflow/engine/classes/class.webdav.php
@@ -398,13 +398,18 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
*/
public function GET(&$options)
{
- $paths = $this->paths;
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $options = $filter->xssFilterHard($options);
+ $paths = $filter->xssFilterHard($this->paths);
$pathClasses = PATH_DB . SYS_SYS . PATH_SEP . 'classes' . PATH_SEP;
if (count($paths) > 0 && $paths[0] == 'classes' && is_dir($pathClasses)) {
$fsFile = $pathClasses . $paths[1];
+ $fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 2 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
+ $content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -418,8 +423,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'xmlforms') {
$pathXmlform = $pathProcesses . 'xmlForms' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathXmlform . $paths[3];
+ $fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
+ $content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -431,8 +438,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'mailTemplates') {
$pathTemplates = $pathProcesses . 'mailTemplates' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathTemplates . $paths[3];
+ $fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
+ $content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
@@ -444,8 +453,10 @@ class ProcessMakerWebDav extends HTTP_WebDAV_Server
if (count($paths) == 4 && $paths[2] == 'public_html') {
$pathPublic = $pathProcesses . 'public' . PATH_SEP . $paths[1] . PATH_SEP;
$fsFile = $pathPublic . $paths[3];
+ $fsFile = $filter->xssFilterHard($fsFile);
if (count($paths) == 4 && file_exists($fsFile)) {
$content = file_get_contents($fsFile);
+ $content = $filter->xssFilterHard($content);
print $content;
header("Content-Type: " . mime_content_type($fsFile));
header("Last-Modified: " . date("D, j M Y H:m:s ", file_mtime($fsFile)) . "GMT");
diff --git a/workflow/engine/classes/triggers/api/class.zimbraApi.php b/workflow/engine/classes/triggers/api/class.zimbraApi.php
index b8fbccb6e..ea3b840a9 100644
--- a/workflow/engine/classes/triggers/api/class.zimbraApi.php
+++ b/workflow/engine/classes/triggers/api/class.zimbraApi.php
@@ -803,6 +803,9 @@ class Zimbra
protected function message($message)
{
if ($this->debug) {
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $message = $filter->xssFilterHard($message);
echo $message;
}
}
@@ -823,6 +826,9 @@ class Zimbra
*/
protected function soapRequest($body, $header = false, $connecting = false)
{
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+
if (!$connecting && !$this->_connected) {
throw new Exception('zimbra.class: soapRequest called without a connection to Zimbra server');
}
@@ -842,7 +848,9 @@ class Zimbra
curl_setopt($this->_curl, CURLOPT_POSTFIELDS, $soap_message);
- if (!($response = curl_exec($this->_curl))) {
+ $this->_curl = $filter->xssFilterHard($this->_curl,"url");
+ $response = curl_exec($this->_curl);
+ if (!$response) {
$this->error = 'ERROR: curl_exec - (' . curl_errno($this->_curl) . ') ' . curl_error($this->_curl);
return false;
} elseif (strpos($response, '') !== false) {
diff --git a/workflow/engine/methods/cases/casesStartPage_Ajax.php b/workflow/engine/methods/cases/casesStartPage_Ajax.php
index f5cdda0bc..16a9dec9b 100755
--- a/workflow/engine/methods/cases/casesStartPage_Ajax.php
+++ b/workflow/engine/methods/cases/casesStartPage_Ajax.php
@@ -1,4 +1,9 @@
xssFilterHard($_POST);
+$_REQUEST = $filter->xssFilterHard($_REQUEST);
+$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) {
$res = new stdclass();
$res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
function startCase ()
{
G::LoadClass( 'case' );
+ G::LoadSystem('inputfilter');
+ $filter = new InputFilter();
+ $_POST = $filter->xssFilterHard($_POST);
+ $_REQUEST = $filter->xssFilterHard($_REQUEST);
+ $_SESSION = $filter->xssFilterHard($_SESSION);
/* GET , POST & $_SESSION Vars */
/* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
lookinginforContentProcess( $_POST['processId'] );
$aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
+ $aData = $filter->xssFilterHard($aData);
$_SESSION['APPLICATION'] = $aData['APPLICATION'];
$_SESSION['INDEX'] = $aData['INDEX'];