fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in paulis/processmaker/PM-VERACODE-9 (pull request #1716)

Browse Source 
I reviewed the XSS - MEDIUM in files
This commit is contained in:
Julio Cesar Laura Avendaño
2015-03-19 23:59:43 -04:00
parent 48386b558f 0ef17ab94b
commit eec9a94c9c
7 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
workflow/engine/methods/cases/proxyPMTablesFieldList.php
View File

@@ -744,6 +744,7 @@ function xgetFieldsFromPMTable($tabUid)
$oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
$oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
$oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
$oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
$oCriteria->addDescendingOrderByColumn('FLD_INDEX');
$oDataset = FieldsPeer::doSelectRS($oCriteria);
$oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);

5
workflow/engine/methods/departments/departments_Ajax.php
View File

@@ -23,6 +23,11 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
function LookForChildren ($parent, $level, $aDepUsers)
{
G::LoadClass( 'configuration' );

4
workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
View File

@@ -28,6 +28,10 @@
* also the functionality of dependent fields in grids doesn't depends in this
* file so this is somewhat expendable.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
{
$myDependentFields = '';

5
workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
View File

@@ -25,6 +25,9 @@
* @Date Aug 26th, 2009
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$request = $_POST['request'];
switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
if (isset( $_POST['items'] )) {
$items = $_POST['items'];
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
break;
case 'saveHidden':
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
$hidden_items = Array ();

3
workflow/engine/methods/dynaforms/test.php
View File

@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
</select> <input type="submit" value="Send" />
</form>
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$test = $_POST['form']['test'];
if ($test) {
$test = $filter->xssFilterHard($test);
foreach ($test as $t) {
echo 'You selected ', $t, '<br />';
}