Commit 9904703840a74597e1c6122109843c198488477c
1 parent
e9492db6
Merged in from DEV trunk...
KTS-2178 "cross site scripting" Implemented. Committed By: Conrad Vermeulen Reviewed By: Kevin Fourie git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@7008 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
8 changed files
with
42 additions
and
31 deletions
lib/documentmanagement/observers.inc.php
| ... | ... | @@ -6,7 +6,7 @@ |
| 6 | 6 | * License Version 1.1.2 ("License"); You may not use this file except in |
| 7 | 7 | * compliance with the License. You may obtain a copy of the License at |
| 8 | 8 | * http://www.knowledgetree.com/KPL |
| 9 | - * | |
| 9 | + * | |
| 10 | 10 | * Software distributed under the License is distributed on an "AS IS" |
| 11 | 11 | * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. |
| 12 | 12 | * See the License for the specific language governing rights and |
| ... | ... | @@ -17,9 +17,9 @@ |
| 17 | 17 | * (ii) the KnowledgeTree copyright notice |
| 18 | 18 | * in the same form as they appear in the distribution. See the License for |
| 19 | 19 | * requirements. |
| 20 | - * | |
| 20 | + * | |
| 21 | 21 | * The Original Code is: KnowledgeTree Open Source |
| 22 | - * | |
| 22 | + * | |
| 23 | 23 | * The Initial Developer of the Original Code is The Jam Warehouse Software |
| 24 | 24 | * (Pty) Ltd, trading as KnowledgeTree. |
| 25 | 25 | * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright |
| ... | ... | @@ -77,7 +77,7 @@ class JavascriptObserver { |
| 77 | 77 | printf('<script language="javascript">kt_add_document_newFile("%s")</script>', $msg->getString()); |
| 78 | 78 | return; |
| 79 | 79 | } |
| 80 | - printf('<script language="javascript">kt_add_document_addMessage("%s")</script>', $msg->getString()); | |
| 80 | + printf('<script language="javascript">kt_add_document_addMessage("%s")</script>', htmlentities($msg->getString(),ENT_QUOTES,'UTF-8')); | |
| 81 | 81 | } |
| 82 | 82 | |
| 83 | 83 | function redirectToDocument($id) { | ... | ... |
plugins/rssplugin/KTrss.inc.php
| ... | ... | @@ -186,7 +186,7 @@ class KTrss{ |
| 186 | 186 | if ($aDocumentList) { |
| 187 | 187 | foreach($aDocumentList as $documentElement){ |
| 188 | 188 | $document_id = $documentElement['id']; |
| 189 | - $aDocumentTransactions = array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id)); | |
| 189 | + $aDocumentTransactions = kt_array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id)); | |
| 190 | 190 | } |
| 191 | 191 | } |
| 192 | 192 | if ($aDocumentTransactions){ |
| ... | ... | @@ -220,8 +220,8 @@ class KTrss{ |
| 220 | 220 | // get information for folder |
| 221 | 221 | function getOneFolder($iFolderId){ |
| 222 | 222 | $aFData = KTrss::getFolderData($iFolderId); |
| 223 | - $aFTransactions = array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId)); | |
| 224 | - $aFTransactions = array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId)); | |
| 223 | + $aFTransactions = kt_array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId)); | |
| 224 | + $aFTransactions = kt_array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId)); | |
| 225 | 225 | |
| 226 | 226 | $code = 'if (strtotime($a[datetime]) == strtotime($b[datetime])){ |
| 227 | 227 | return 0; |
| ... | ... | @@ -255,6 +255,17 @@ class KTrss{ |
| 255 | 255 | } |
| 256 | 256 | } |
| 257 | 257 | |
| 258 | + function rss_sanitize($str, $do_amp=true) | |
| 259 | + { | |
| 260 | + | |
| 261 | + $result = str_replace("\\\"","\"",str_replace('\\\'','\'',htmlentities($str,ENT_NOQUOTES, 'UTF-8'))); | |
| 262 | + if ($do_amp) | |
| 263 | + { | |
| 264 | + $result = str_replace('&','&',$result); | |
| 265 | + } | |
| 266 | + return $result; | |
| 267 | + } | |
| 268 | + | |
| 258 | 269 | // Takes in an array as a parameter and returns rss2.0 compatible xml |
| 259 | 270 | function arrayToXML($aItems){ |
| 260 | 271 | // Build path to host |
| ... | ... | @@ -282,7 +293,7 @@ class KTrss{ |
| 282 | 293 | $sTypeSelect = 'document.transactionhistory&fDocumentId'; |
| 283 | 294 | } |
| 284 | 295 | $feed .= "<item>\n" . |
| 285 | - "<title>".htmlentities($aItems[0][0][name],ENT_QUOTES, 'UTF-8')."</title>\n" . | |
| 296 | + "<title>".KTrss::rss_sanitize($aItems[0][0][name],false)."</title>\n" . | |
| 286 | 297 | "<link>".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0]['id']."</link>\n" . |
| 287 | 298 | "<description>\n" . |
| 288 | 299 | "<table border='0' width='90%'>\n". |
| ... | ... | @@ -298,7 +309,7 @@ class KTrss{ |
| 298 | 309 | "<hr>\n". |
| 299 | 310 | "<table width='95%'>\n". |
| 300 | 311 | "<tr>\n". |
| 301 | - "<td>Filename: ".str_replace('&','&',htmlentities($aItems[0][0][filename],ENT_QUOTES, 'UTF-8'))."</td>\n". | |
| 312 | + "<td>Filename: ".KTrss::rss_sanitize($aItems[0][0][filename] )."</td>\n". | |
| 302 | 313 | "<td>\n". |
| 303 | 314 | "</tr>\n". |
| 304 | 315 | "<tr>\n". |
| ... | ... | @@ -326,11 +337,11 @@ class KTrss{ |
| 326 | 337 | foreach($aItems[1] as $item){ |
| 327 | 338 | $feed .= "<tr>\n". |
| 328 | 339 | "<td>".$item[type]." name:</td>\n". |
| 329 | - "<td>".str_replace('&','&',htmlentities($item[name],ENT_QUOTES, 'UTF-8'))."</td>\n". | |
| 340 | + "<td>".KTrss::rss_sanitize($item[name] )."</td>\n". | |
| 330 | 341 | "</tr>\n". |
| 331 | 342 | "<tr>\n". |
| 332 | 343 | "<td>Path:</td>\n". |
| 333 | - "<td>".str_replace('&','&',htmlentities($item[fullpath],ENT_QUOTES, 'UTF-8'))."</td>\n". | |
| 344 | + "<td>".KTrss::rss_sanitize($item[fullpath] )."</td>\n". | |
| 334 | 345 | "</tr>\n". |
| 335 | 346 | "<tr>\n". |
| 336 | 347 | "<td>Transaction:</td>\n". |
| ... | ... | @@ -338,7 +349,7 @@ class KTrss{ |
| 338 | 349 | "</tr>\n". |
| 339 | 350 | "<tr>\n". |
| 340 | 351 | "<td>Comment:</td>\n". |
| 341 | - "<td>".str_replace('&','&',htmlentities($item[comment],ENT_QUOTES, 'UTF-8'))."</td>\n". | |
| 352 | + "<td>".KTrss::rss_sanitize($item[comment] )."</td>\n". | |
| 342 | 353 | "</tr>\n". |
| 343 | 354 | "<tr>\n";if($item[version]){ |
| 344 | 355 | $feed .= "<td>Version:</td>\n". | ... | ... |
plugins/rssplugin/templates/RSSPlugin/dashlet.smarty
| ... | ... | @@ -9,7 +9,7 @@ |
| 9 | 9 | {/if} |
| 10 | 10 | {if $feedlist} |
| 11 | 11 | {section name=feed loop=$feedlist} |
| 12 | - <option value='{$feedlist[feed].url}'>{$feedlist[feed].title|sanitize}</option> | |
| 12 | + <option value='{$feedlist[feed].url|sanitize}'>{$feedlist[feed].title|sanitize}</option> | |
| 13 | 13 | {/section} |
| 14 | 14 | {/if} |
| 15 | 15 | </select> | ... | ... |
rss.php
| 1 | 1 | <?php |
| 2 | 2 | /** |
| 3 | 3 | * $Id$ |
| 4 | - * | |
| 4 | + * | |
| 5 | 5 | * The contents of this file are subject to the KnowledgeTree Public |
| 6 | 6 | * License Version 1.1.2 ("License"); You may not use this file except in |
| 7 | 7 | * compliance with the License. You may obtain a copy of the License at |
| 8 | 8 | * http://www.knowledgetree.com/KPL |
| 9 | - * | |
| 9 | + * | |
| 10 | 10 | * Software distributed under the License is distributed on an "AS IS" |
| 11 | 11 | * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. |
| 12 | 12 | * See the License for the specific language governing rights and |
| ... | ... | @@ -17,9 +17,9 @@ |
| 17 | 17 | * (ii) the KnowledgeTree copyright notice |
| 18 | 18 | * in the same form as they appear in the distribution. See the License for |
| 19 | 19 | * requirements. |
| 20 | - * | |
| 20 | + * | |
| 21 | 21 | * The Original Code is: KnowledgeTree Open Source |
| 22 | - * | |
| 22 | + * | |
| 23 | 23 | * The Initial Developer of the Original Code is The Jam Warehouse Software |
| 24 | 24 | * (Pty) Ltd, trading as KnowledgeTree. |
| 25 | 25 | * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright |
| ... | ... | @@ -67,23 +67,23 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { |
| 67 | 67 | } else { |
| 68 | 68 | $user = DBAuthenticator::getUser($_SERVER['PHP_AUTH_USER'], array('id'=>'id',)); |
| 69 | 69 | $id = $user[$_SERVER['PHP_AUTH_USER']]['id']; |
| 70 | - | |
| 71 | - | |
| 70 | + | |
| 71 | + | |
| 72 | 72 | if(KTUtil::arrayGet($_REQUEST, 'docId')){ // if a docId parameter is passed |
| 73 | 73 | // get document id from http request object |
| 74 | 74 | $iDocumentId = KTUtil::arrayGet($_REQUEST, 'docId'); |
| 75 | - | |
| 75 | + | |
| 76 | 76 | if(KTrss::validateDocumentPermissions($id, $iDocumentId)){ // if document passes validation check |
| 77 | 77 | // get document info |
| 78 | 78 | $aDocumentInfo[] = KTrss::getOneDocument($iDocumentId, $id); |
| 79 | - | |
| 80 | - if($aDocumentInfo){ | |
| 79 | + | |
| 80 | + if($aDocumentInfo){ | |
| 81 | 81 | // create rss xml for document |
| 82 | 82 | $documentFeed = KTrss::arrayToXML($aDocumentInfo); |
| 83 | 83 | }else{ |
| 84 | 84 | // create rss xml for the error |
| 85 | 85 | $error = KTrss::errorToXML(_kt('This document has returned a empty response')); |
| 86 | - } | |
| 86 | + } | |
| 87 | 87 | }else{ |
| 88 | 88 | // create rss xml for error |
| 89 | 89 | $error = KTrss::errorToXML(_kt('You are either not authorised to view details on this document or it does not exist.' . |
| ... | ... | @@ -101,7 +101,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { |
| 101 | 101 | if(KTrss::validateFolderPermissions($id, $iFolderId)){ // if folder passes validation check |
| 102 | 102 | // get folder info |
| 103 | 103 | $aFolderInfo[] = KTrss::getOneFolder($iFolderId); |
| 104 | - | |
| 104 | + | |
| 105 | 105 | if($aFolderInfo){ |
| 106 | 106 | // create rss xml for folder |
| 107 | 107 | $folderFeed = KTrss::arrayToXML($aFolderInfo); |
| ... | ... | @@ -121,7 +121,7 @@ if (!validateUser($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) { |
| 121 | 121 | } |
| 122 | 122 | }else{ // else do normal rss parsing |
| 123 | 123 | // get full list of subscribed documents and folders |
| 124 | - $aFullList = array_merge(KTrss::getDocuments($id), KTrss::getFolders($id)); | |
| 124 | + $aFullList = kt_array_merge(KTrss::getDocuments($id), KTrss::getFolders($id)); | |
| 125 | 125 | $internalFeed = KTrss::arrayToXML($aFullList); |
| 126 | 126 | echo $internalFeed; |
| 127 | 127 | } | ... | ... |
templates/kt3/browse.smarty
templates/kt3/minimal_page.smarty
| ... | ... | @@ -76,9 +76,9 @@ |
| 76 | 76 | <span class="additional">{i18n}You are here{/i18n}: </span> |
| 77 | 77 | {if ($page->breadcrumbSection !== false)} |
| 78 | 78 | {if ($page->breadcrumbSection.url) } |
| 79 | - <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label}</a> | |
| 79 | + <a href="{$page->breadcrumbSection.url}" class="primary">{$page->breadcrumbSection.label|sanitize}</a> | |
| 80 | 80 | {else} |
| 81 | - <span class="primary">{$page->breadcrumbSection.label}</span> | |
| 81 | + <span class="primary">{$page->breadcrumbSection.label|sanitize}</span> | |
| 82 | 82 | {/if} |
| 83 | 83 | {/if} |
| 84 | 84 | {if (($page->breadcrumbSection !== false) && ($page->breadcrumbs !== false))} |
| ... | ... | @@ -97,7 +97,7 @@ |
| 97 | 97 | {/foreach} |
| 98 | 98 | {/if} |
| 99 | 99 | {if ($page->breadcrumbDetails !== false)} |
| 100 | -<span class="additional">({$page->breadcrumbDetails})</span> | |
| 100 | +<span class="additional">({$page->breadcrumbDetails|sanitize})</span> | |
| 101 | 101 | {/if} |
| 102 | 102 | </div> |
| 103 | 103 | ... | ... |
templates/kt3/standard_page.smarty
| ... | ... | @@ -142,7 +142,7 @@ |
| 142 | 142 | {/foreach} |
| 143 | 143 | {/if} |
| 144 | 144 | {if ($page->breadcrumbDetails !== false)} |
| 145 | - <span class="additional">({$page->breadcrumbDetails})</span> | |
| 145 | + <span class="additional">({$page->breadcrumbDetails|sanitize})</span> | |
| 146 | 146 | {/if} |
| 147 | 147 | </div> |
| 148 | 148 | {/if} | ... | ... |
templates/ktcore/folder/view_permissions.smarty
| ... | ... | @@ -16,7 +16,7 @@ assigned are shown.{/i18n}</p> |
| 16 | 16 | <p> |
| 17 | 17 | <div class="ktInfoMessage"> |
| 18 | 18 | { if $inherited } |
| 19 | -<span>{i18n arg_permission_source=$inherited}This folder <strong>inherits</strong> its permissions from #permission_source#.{/i18n} | |
| 19 | +<span>{i18n arg_permission_source=$inherited|sanitize}This folder <strong>inherits</strong> its permissions from #permission_source#.{/i18n} | |
| 20 | 20 | {if $inheritable} |
| 21 | 21 | <a class="ktActionLink ktDelete" |
| 22 | 22 | kt:deleteMessage="{i18n}Are you sure you wish to override the permissions?{/i18n}" | ... | ... |