lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

referer XSS patches

Browse Source
This commit is contained in:
root 2020-02-03 23:10:04 +00:00 committed by Laurent Destailleur
parent e73b57e969
commit 0dcb83e6bf
3 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/comm/action/card.php
View File

@ -831,7 +831,7 @@ if ($action == 'create')
print '<input type="hidden" name="token" value="'.newToken().'">';
print '<input type="hidden" name="action" value="add">';
print '<input type="hidden" name="donotclearsession" value="1">';
if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : htmlentities($_SERVER["HTTP_REFERER"])).'">';
if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print '<input type="hidden" name="actioncode" value="'.dol_getIdFromCode($db, 'AC_OTH', 'c_actioncomm').'">';
if (GETPOST("actioncode", 'aZ09') == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda');
@ -1232,7 +1232,7 @@ if ($id > 0)
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$id.'">';
print '<input type="hidden" name="ref_ext" value="'.$object->ref_ext.'">';
if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : htmlentities($_SERVER["HTTP_REFERER"])).'">';
if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print '<input type="hidden" name="actioncode" value="'.$object->type_code.'">';
dol_fiche_head($head, 'card', $langs->trans("Action"), 0, 'action');

2
htdocs/public/error-401.php
View File

@ -21,7 +21,7 @@
Sorry. You are not allowed to access this resource.
<br>
<?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.$_SERVER["HTTP_REFERER"].'.':''; ?>
<?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.':''; ?>
<hr>

2
htdocs/public/error-404.php
View File

@ -21,7 +21,7 @@
You requested a website or a page that does not exists.
<br>
<?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.$_SERVER["HTTP_REFERER"].'.':''; ?>
<?php print isset($_SERVER["HTTP_REFERER"])?'You come from '.htmlentities($_SERVER["HTTP_REFERER"]).'.':''; ?>
<hr>