Security Issues - Improvements
- Se añadieron validaciones para sanitizar los valores enviados.
This commit is contained in:
Marco Antonio Nina
@@ -5230,6 +5230,23 @@ class G
|
||||
}
|
||||
return in_array(strtolower($functionName), $allFunctions['user']);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor for inputFilter class. Only first parameter is required.
|
||||
* @access constructor
|
||||
* @data Mixed - input string/array-of-string to be 'cleaned'
|
||||
* @param Array $tagsArray - list of user-defined tags
|
||||
* @param Array $attrArray - list of user-defined attributes
|
||||
* @param int $tagsMethod - 0= allow just user-defined, 1= allow all but user-defined
|
||||
* @param int $attrMethod - 0= allow just user-defined, 1= allow all but user-defined
|
||||
* @param int $xssAuto - 0= only auto clean essentials, 1= allow clean blacklisted tags/attr
|
||||
*/
|
||||
public function sanitizeInput($data, $tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1)
|
||||
{
|
||||
G::LoadSystem('inputfilter');
|
||||
$filtro = new InputFilter($tagsArray , $attrArray, $tagsMethod, $attrMethod, $xssAuto);
|
||||
return $filtro->process($data);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
368
gulliver/system/class.inputfilter.php
Normal file
368
gulliver/system/class.inputfilter.php
Normal file
File diff suppressed because it is too large
Load Diff
@@ -155,7 +155,7 @@ class Dashboard extends Controller
|
||||
if ($data->DAS_INS_UID == '') {
|
||||
throw new Exception( 'Parameter "DAS_INS_UID" is empty.' );
|
||||
}
|
||||
$this->pmDashlet->setup( $data->DAS_INS_UID );
|
||||
$this->pmDashlet->setup( G::sanitizeInput($data->DAS_INS_UID) );
|
||||
|
||||
if (! isset( $_REQUEST['w'] )) {
|
||||
$width = 300;
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
<?php
|
||||
$action = isset( $_GET['action'] ) ? $_GET['action'] : 'default';
|
||||
|
||||
$action = isset( $_GET['action'] ) ? G::sanitizeInput($_GET['action']) : 'default';
|
||||
|
||||
G::LoadClass( 'case' );
|
||||
G::LoadClass( 'configuration' );
|
||||
$userId = isset( $_SESSION['USER_LOGGED'] ) ? $_SESSION['USER_LOGGED'] : '00000000000000000000000000000000';
|
||||
|
||||
@@ -240,14 +240,14 @@ try {
|
||||
if (strpos($_SERVER['HTTP_REFERER'], 'processes/processes_Map?PRO_UID=') !== false) {
|
||||
$sLocation = $_SERVER['HTTP_REFERER'];
|
||||
} else {
|
||||
$sLocation = $_REQUEST['form']['URL'];
|
||||
$sLocation = G::sanitizeInput($_REQUEST['form']['URL']);
|
||||
}
|
||||
} else {
|
||||
$sLocation = $_REQUEST['form']['URL'];
|
||||
$sLocation = G::sanitizeInput($_REQUEST['form']['URL']);
|
||||
}
|
||||
} else {
|
||||
if (isset($_REQUEST['u']) && $_REQUEST['u'] != '') {
|
||||
$sLocation = $_REQUEST['u'];
|
||||
$sLocation = G::sanitizeInput($_REQUEST['u']);
|
||||
} else {
|
||||
$sLocation = $oUserProperty->redirectTo($_SESSION['USER_LOGGED'], $lang);
|
||||
}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
<?php
|
||||
ob_start();
|
||||
|
||||
$request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
|
||||
$request = isset( $_POST['request'] ) ? G::sanitizeInput($_POST['request']) : (isset( $_GET['request'] ) ? G::sanitizeInput($_GET['request']) : null);
|
||||
|
||||
switch ($request) {
|
||||
case 'loadMenu':
|
||||
|
||||
Reference in New Issue
Block a user