Peter M. Groen / knowledgetree

Commit a381addcf3c7aa45b4e5c1a9b7e68903eb9899d2

Authored by kevin_fourie
1 parent 91f271fb

Merged in from DEV trunk... 

KTS-2178
"cross site scripting"
Implemented.

Committed By: Conrad Vermeulen
Reviewed By: Kevin Fourie

git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@7001 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 7 changed files with 8 additions and 8 deletions
templates/kt3/browse.smarty
  View file @a381add
... ... @@ -73,7 +73,7 @@
73 73 <legend>{i18n}Save this search{/i18n}</legend>
74 74 <p class="descriptiveText">{i18n}To save this search permanently, so that you can run it again at any time, fill in a name below and click 'Save'.{/i18n}</p>
75 75 <input type="hidden" name="action" value="saveSearch" />
76   -<input type="hidden" name="boolean_search" value="{$boolean_search}" />
  76 +<input type="hidden" name="boolean_search" value="{$boolean_search|sanitize}" />
77 77 {foreach item=oWidget from=$save_fields}
78 78 {$oWidget->render()}
79 79 {/foreach}
... ...
templates/kt3/fields/lookup.smarty
  View file @a381add
... ... @@ -10,10 +10,10 @@
10 10 {else}
11 11 <p class="errorMessage"></p>
12 12 {/if}
13   -
  13 +
14 14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}>
15 15 {foreach item=lookup key=lookup_key from=$options.vocab}
16   - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup}</option>
  16 + <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
17 17 {/foreach}
18 18 </select>
19 19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" />
... ...
templates/kt3/minimal_page.smarty
  View file @a381add
... ... @@ -2,7 +2,7 @@
2 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 3 <html>
4 4 <head>
5   - <title>{$page->title} | {$page->systemName}</title>
  5 + <title>{$page->title|sanitize} | {$page->systemName}</title>
6 6  
7 7 <!-- CSS Files. -->
8 8 {foreach item=sResourceURL from=$page->getCSSResources()}
... ...
templates/kt3/portlets/search_portlet.smarty
  View file @a381add
... ... @@ -9,7 +9,7 @@
9 9 <ul class="actionlist">
10 10 {foreach item=oSearch from=$saved_searches}
11 11 <li>
12   -{if ($oSearch->getUserId())}<a class="ktInline ktAction ktDelete" href="{"booleanSearch"|generateControllerUrl}&qs[action]=deleteSearch&qs[fSavedSearchId]={$oSearch->getId()}&qs[fFolderId]={$folder_id}&qs[fDocumentId]={$document_id}">{i18n}Delete{/i18n}</a>{/if}<a href="{"booleanSearch"|generateControllerUrl}&qs[action]=performSearch&qs[fSavedSearchId]={$oSearch->getId()}">{$oSearch->getName()}</a>
  12 +{if ($oSearch->getUserId())}<a class="ktInline ktAction ktDelete" href="{"booleanSearch"|generateControllerUrl}&qs[action]=deleteSearch&qs[fSavedSearchId]={$oSearch->getId()}&qs[fFolderId]={$folder_id}&qs[fDocumentId]={$document_id}">{i18n}Delete{/i18n}</a>{/if}<a href="{"booleanSearch"|generateControllerUrl}&qs[action]=performSearch&qs[fSavedSearchId]={$oSearch->getId()}">{$oSearch->getName()|sanitize}</a>
13 13 </li>
14 14 {/foreach}
15 15 </ul>
... ...
templates/kt3/standard_page.smarty
  View file @a381add
... ... @@ -2,7 +2,7 @@
2 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 3 <html>
4 4 <head>
5   - <title>{$page->title}{if ($page->secondary_title != null)} &mdash; {$page->secondary_title}{/if} | {$page->systemName}</title>
  5 + <title>{$page->title|sanitize}{if ($page->secondary_title != null)} &mdash; {$page->secondary_title|sanitize}{/if} | {$page->systemName}</title>
6 6  
7 7 <!-- CSS Files. -->
8 8  
... ...
templates/ktcore/action/checkout_final.smarty
  View file @a381add
... ... @@ -3,7 +3,7 @@
3 3 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/Iter.js")}
4 4 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/DOM.js")}
5 5  
6   -{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason}{/capture}
  6 +{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason|escape:'url'}{/capture}
7 7  
8 8 {capture assign=sJavascript}
9 9 function doCheckout () {ldelim}
... ...
templates/ktcore/search/administration/savedsearches.smarty
  View file @a381add
... ... @@ -31,7 +31,7 @@ newsletters, etc.) based on a category or fieldset value.{/i18n}&lt;/p&gt;
31 31 <tbody>
32 32 {foreach item=oSearch from=$saved_searches}
33 33 <tr>
34   - <td>{$oSearch->getName()}</td>
  34 + <td>{$oSearch->getName()|sanitize}</td>
35 35 {capture assign=iUserId}{$oSearch->getUserId()}{/capture}
36 36 <td>{if ($iUserId === '')}Global{else}{$context->_getUserName($iUserId)}{/if}</td>
37 37 <td><a href="{addQS}action=edit&fSavedSearchId={$oSearch->getId()}{/addQS}" class="ktAction ktEdit">{i18n}Edit{/i18n}</a></td>
... ...