FIX XSS security using the onerror and missing escapement on type of
member page.
This commit is contained in:
Laurent Destailleur
parent
9d7806f1f4
commit
9c99cae911
@ -51,6 +51,12 @@ $pagenext = $page + 1;
|
||||
if (! $sortorder) { $sortorder="DESC"; }
|
||||
if (! $sortfield) { $sortfield="d.lastname"; }
|
||||
|
||||
$label=GETPOST("libelle","alpha");
|
||||
$cotisation=GETPOST("cotisation","int");
|
||||
$vote=GETPOST("vote","int");
|
||||
$comment=GETPOST("comment");
|
||||
$mail_valid=GETPOST("mail_valid");
|
||||
|
||||
// Security check
|
||||
$result=restrictedArea($user,'adherent',$rowid,'adherent_type');
|
||||
|
||||
@ -81,11 +87,11 @@ if ($action == 'add' && $user->rights->adherent->configurer)
|
||||
{
|
||||
$adht = new AdherentType($db);
|
||||
|
||||
$adht->libelle = trim($_POST["libelle"]);
|
||||
$adht->cotisation = trim($_POST["cotisation"]);
|
||||
$adht->note = trim($_POST["comment"]);
|
||||
$adht->mail_valid = trim($_POST["mail_valid"]);
|
||||
$adht->vote = trim($_POST["vote"]);
|
||||
$adht->libelle = trim($label);
|
||||
$adht->cotisation = trim($cotisation);
|
||||
$adht->note = trim($comment);
|
||||
$adht->mail_valid = trim($mail_valid);
|
||||
$adht->vote = trim($vote);
|
||||
|
||||
// Fill array 'array_options' with data from add form
|
||||
$ret = $extrafields->setOptionalsFromPost($extralabels,$adht);
|
||||
@ -118,12 +124,12 @@ if ($action == 'update' && $user->rights->adherent->configurer)
|
||||
if ($_POST["button"] != $langs->trans("Cancel"))
|
||||
{
|
||||
$adht = new AdherentType($db);
|
||||
$adht->id = $_POST["rowid"];
|
||||
$adht->libelle = trim($_POST["libelle"]);
|
||||
$adht->cotisation = trim($_POST["cotisation"]);
|
||||
$adht->note = trim($_POST["comment"]);
|
||||
$adht->mail_valid = trim($_POST["mail_valid"]);
|
||||
$adht->vote = trim($_POST["vote"]);
|
||||
$adht->id = $rowid;
|
||||
$adht->libelle = trim($label);
|
||||
$adht->cotisation = trim($cotisation);
|
||||
$adht->note = trim($comment);
|
||||
$adht->mail_valid = trim($mail_valid);
|
||||
$adht->vote = trim($vote);
|
||||
|
||||
// Fill array 'array_options' with data from add form
|
||||
$ret = $extrafields->setOptionalsFromPost($extralabels,$adht);
|
||||
@ -196,7 +202,7 @@ if (! $rowid && $action != 'create' && $action != 'edit')
|
||||
$var=!$var;
|
||||
print "<tr ".$bc[$var].">";
|
||||
print '<td><a href="'.$_SERVER["PHP_SELF"].'?rowid='.$objp->rowid.'">'.img_object($langs->trans("ShowType"),'group').' '.$objp->rowid.'</a></td>';
|
||||
print '<td>'.$objp->libelle.'</td>';
|
||||
print '<td>'.dol_escape_htmltag($objp->libelle).'</td>';
|
||||
print '<td align="center">'.yn($objp->cotisation).'</td>';
|
||||
print '<td align="center">'.yn($objp->vote).'</td>';
|
||||
print '<td align="right"><a href="'.$_SERVER["PHP_SELF"].'?action=edit&rowid='.$objp->rowid.'">'.img_edit().'</a></td>';
|
||||
@ -314,7 +320,7 @@ if ($rowid > 0)
|
||||
print '</td></tr>';
|
||||
|
||||
// Label
|
||||
print '<tr><td width="15%">'.$langs->trans("Label").'</td><td>'.$adht->libelle.'</td></tr>';
|
||||
print '<tr><td width="15%">'.$langs->trans("Label").'</td><td>'.dol_escape_htmltag($adht->libelle).'</td></tr>';
|
||||
|
||||
print '<tr><td>'.$langs->trans("SubscriptionRequired").'</td><td>';
|
||||
print yn($adht->cotisation);
|
||||
@ -491,15 +497,15 @@ if ($rowid > 0)
|
||||
print '<tr class="liste_titre">';
|
||||
|
||||
print '<td class="liste_titre" align="left">';
|
||||
print '<input class="flat" type="text" name="search_lastname" value="'.$search_lastname.'" size="12"></td>';
|
||||
print '<input class="flat" type="text" name="search_lastname" value="'.dol_escape_htmltag($search_lastname).'" size="12"></td>';
|
||||
|
||||
print '<td class="liste_titre" align="left">';
|
||||
print '<input class="flat" type="text" name="search_login" value="'.$search_login.'" size="7"></td>';
|
||||
print '<input class="flat" type="text" name="search_login" value="'.dol_escape_htmltag($search_login).'" size="7"></td>';
|
||||
|
||||
print '<td class="liste_titre"> </td>';
|
||||
|
||||
print '<td class="liste_titre" align="left">';
|
||||
print '<input class="flat" type="text" name="search_email" value="'.$search_email.'" size="12"></td>';
|
||||
print '<input class="flat" type="text" name="search_email" value="'.dol_escape_htmltag($search_email).'" size="12"></td>';
|
||||
|
||||
print '<td class="liste_titre"> </td>';
|
||||
|
||||
@ -561,7 +567,7 @@ if ($rowid > 0)
|
||||
if ($datefin)
|
||||
{
|
||||
print '<td align="center" class="nowrap">';
|
||||
if ($datefin < time() && $objp->statut > 0)
|
||||
if ($datefin < dol_now() && $objp->statut > 0)
|
||||
{
|
||||
print dol_print_date($datefin,'day')." ".img_warning($langs->trans("SubscriptionLate"));
|
||||
}
|
||||
@ -641,7 +647,7 @@ if ($rowid > 0)
|
||||
|
||||
print '<tr><td width="15%">'.$langs->trans("Ref").'</td><td>'.$adht->id.'</td></tr>';
|
||||
|
||||
print '<tr><td>'.$langs->trans("Label").'</td><td><input type="text" name="libelle" size="40" value="'.$adht->libelle.'"></td></tr>';
|
||||
print '<tr><td>'.$langs->trans("Label").'</td><td><input type="text" name="libelle" size="40" value="'.dol_escape_htmltag($adht->libelle).'"></td></tr>';
|
||||
|
||||
print '<tr><td>'.$langs->trans("SubscriptionRequired").'</td><td>';
|
||||
print $form->selectyesno("cotisation",$adht->cotisation,1);
|
||||
@ -687,6 +693,7 @@ if ($rowid > 0)
|
||||
}
|
||||
}
|
||||
|
||||
$db->close();
|
||||
|
||||
llxFooter();
|
||||
|
||||
$db->close();
|
||||
|
||||
@ -189,7 +189,7 @@ function dol_shutdown()
|
||||
* Return value of a param into GET or POST supervariable
|
||||
*
|
||||
* @param string $paramname Name of parameter to found
|
||||
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'= Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string), 'custom'= custom filter specify $filter and $options)
|
||||
* @param string $check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's text and sign, 'aZ'=check it's a-z only, 'array'=check it's array, 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string), 'custom'= custom filter specify $filter and $options)
|
||||
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get, 4 = post then get then cookie)
|
||||
* @param int $filter Filter to apply when $check is set to custom. (See http://php.net/manual/en/filter.filters.php for détails)
|
||||
* @param mixed $options Options to pass to filter_var when $check is set to custom
|
||||
@ -507,7 +507,7 @@ function dol_escape_js($stringtoescape, $mode=0, $noescapebackslashn=0)
|
||||
|
||||
|
||||
/**
|
||||
* Returns text escaped for inclusion in HTML alt or title tags, or into values of HTMPL input fields
|
||||
* Returns text escaped for inclusion in HTML alt or title tags, or into values of HTML input fields.
|
||||
*
|
||||
* @param string $stringtoescape String to escape
|
||||
* @param int $keepb Do not clean b tags
|
||||
|
||||
@ -89,6 +89,7 @@ function test_sql_and_script_inject($val, $type)
|
||||
$sql_inj += preg_match('/union.+select/i', $val);
|
||||
$sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
|
||||
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
|
||||
$sql_inj += preg_match('/onerror=/i', $val);
|
||||
}
|
||||
// For XSS Injection done by adding javascript with script
|
||||
// This is all cases a browser consider text is javascript:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user