xss
This commit is contained in:
marcelo.cuiza
@@ -25,6 +25,9 @@
|
||||
td {font-family: Tahoma, Verdana, sans-serif; font-size: 11px;}
|
||||
</style>
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_GET = $filter->xssFilterHard($_GET);
|
||||
|
||||
$ARR_MONTHS = array ( "January", "February", "March", "April", "May", "June",
|
||||
"July", "August", "September", "October", "November", "December");
|
||||
@@ -109,6 +112,11 @@
|
||||
}
|
||||
$numWeeks = ( $end_date - $start_date )/3600/24/7 ;
|
||||
|
||||
$dtmin_value = $filter->xssFilterHard($dtmin_value);
|
||||
$dtmax_value = $filter->xssFilterHard($dtmax_value);
|
||||
$dt_currentYear = $filter->xssFilterHard($dt_currentYear);
|
||||
$dt_currentMonth = $filter->xssFilterHard($dt_currentMonth);
|
||||
|
||||
//print date('Y-m-d', $start_date ) . " $dtmin_value $dtmax_value ";
|
||||
?>
|
||||
<input type='hidden' name='dtmin_value' id='dtmin_value' value='<?php echo $dtmin_value ?>' >
|
||||
|
||||
@@ -1009,6 +1009,12 @@ class adminProxy extends HttpProxyController
|
||||
public function uploadImage()
|
||||
{
|
||||
//!dataSystem
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_SERVER["REQUEST_URI"] = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
|
||||
$_FILES = $filter->xssFilterHard($_FILES);
|
||||
|
||||
$ainfoSite = explode("/", $_SERVER["REQUEST_URI"]);
|
||||
$dir = PATH_DATA."sites".PATH_SEP.str_replace("sys","",$ainfoSite[1]).PATH_SEP."files/logos";
|
||||
global $_FILES;
|
||||
@@ -1036,7 +1042,9 @@ class adminProxy extends HttpProxyController
|
||||
$uploaded = 0;
|
||||
$failed = 0;
|
||||
|
||||
if (in_array($_FILES['img']['type'], $allowedType)) {
|
||||
$files_img_type = $filter->xssFilterHard($_FILES['img']['type']);
|
||||
|
||||
if (in_array($files_img_type, $allowedType)) {
|
||||
// max upload file is 500 KB
|
||||
if ($_FILES['img']['size'] <= 500000) {
|
||||
$formf = $_FILES['img'];
|
||||
@@ -1055,7 +1063,7 @@ class adminProxy extends HttpProxyController
|
||||
$arrayInfo = getimagesize($dir . '/' . 'tmp' . $fileName);
|
||||
$typeMime = $arrayInfo[2];
|
||||
}
|
||||
if ($typeMime == $allowedTypeArray['index' . base64_encode($_FILES['img']['type'])]) {
|
||||
if ($typeMime == $allowedTypeArray['index' . base64_encode($files_img_type)]) {
|
||||
$error = false;
|
||||
try {
|
||||
list($imageWidth, $imageHeight, $imageType) = @getimagesize($dir . '/' . 'tmp' . $fileName);
|
||||
@@ -1075,10 +1083,10 @@ class adminProxy extends HttpProxyController
|
||||
} else {
|
||||
$failed = "2";
|
||||
}
|
||||
} elseif ($_FILES['img']['type'] != '') {
|
||||
} elseif ($files_img_type != '') {
|
||||
$failed = "1";
|
||||
}
|
||||
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $_FILES['img']['type'] . '"}';
|
||||
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
@@ -33,6 +33,12 @@
|
||||
//require_once 'classes/model/AppDelay.php';
|
||||
//require_once 'classes/model/Process.php';
|
||||
//require_once 'classes/model/Task.php';
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
|
||||
if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
|
||||
if (!isset($_SESSION['USER_LOGGED'])) {
|
||||
$response = new stdclass();
|
||||
|
||||
@@ -22,6 +22,13 @@
|
||||
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
|
||||
*/
|
||||
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_GET = $filter->xssFilterHard($_GET);
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
|
||||
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
|
||||
|
||||
if ($actionAjax == "historyDynaformPage") {
|
||||
|
||||
@@ -1,4 +1,11 @@
|
||||
<?php
|
||||
G::LoadSystem('inputfilter');
|
||||
$filter = new InputFilter();
|
||||
$_GET = $filter->xssFilterHard($_GET);
|
||||
$_POST = $filter->xssFilterHard($_POST);
|
||||
$_REQUEST = $filter->xssFilterHard($_REQUEST);
|
||||
$_SESSION = $filter->xssFilterHard($_SESSION);
|
||||
|
||||
if (!isset($_SESSION['USER_LOGGED'])) {
|
||||
$response = new stdclass();
|
||||
$response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
|
||||
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
|
||||
G::RenderPage( 'publish', 'raw' );
|
||||
break;
|
||||
case 'showUsers':
|
||||
$_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
|
||||
switch ($_POST['TAS_ASSIGN_TYPE']) {
|
||||
// switch verify $_POST['TAS_ASSIGN_TYPE']
|
||||
case 'BALANCED':
|
||||
$_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
|
||||
G::LoadClass( 'user' );
|
||||
$oUser = new User( new DBConnection() );
|
||||
$oUser->load( $_POST['USR_UID'] );
|
||||
$oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
|
||||
$oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
|
||||
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
|
||||
break;
|
||||
case 'MANUAL':
|
||||
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
|
||||
echo $sAux;
|
||||
break;
|
||||
case 'EVALUATE':
|
||||
$_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
|
||||
$_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
|
||||
G::LoadClass( 'application' );
|
||||
$oApplication = new Application( new DBConnection() );
|
||||
$oApplication->load( $_SESSION['APPLICATION'] );
|
||||
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
|
||||
$oUser->load( $sUser );
|
||||
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
|
||||
} else {
|
||||
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' );
|
||||
$ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
|
||||
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
|
||||
echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
|
||||
}
|
||||
break;
|
||||
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
|
||||
$cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
|
||||
break;
|
||||
case 'toRevisePanel':
|
||||
$_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
|
||||
$_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
|
||||
|
||||
$_GET['APP_UID'] = $_POST['APP_UID'];
|
||||
$_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
|
||||
$G_PUBLISH = new Publisher();
|
||||
|
||||
Reference in New Issue
Block a user