Peter M. Groen / knowledgetree

Commit a381addcf3c7aa45b4e5c1a9b7e68903eb9899d2

Authored by kevin_fourie
1 parent 91f271fb

Merged in from DEV trunk... 

KTS-2178
"cross site scripting"
Implemented.

Committed By: Conrad Vermeulen
Reviewed By: Kevin Fourie

git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/STABLE/trunk@7001 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 7 changed files with 8 additions and 8 deletions
templates/kt3/browse.smarty
  View file @a381add
@@ -73,7 +73,7 @@ @@ -73,7 +73,7 @@
73 <legend>{i18n}Save this search{/i18n}</legend> 73 <legend>{i18n}Save this search{/i18n}</legend>
74 <p class="descriptiveText">{i18n}To save this search permanently, so that you can run it again at any time, fill in a name below and click 'Save'.{/i18n}</p> 74 <p class="descriptiveText">{i18n}To save this search permanently, so that you can run it again at any time, fill in a name below and click 'Save'.{/i18n}</p>
75 <input type="hidden" name="action" value="saveSearch" /> 75 <input type="hidden" name="action" value="saveSearch" />
76 -<input type="hidden" name="boolean_search" value="{$boolean_search}" /> 76 +<input type="hidden" name="boolean_search" value="{$boolean_search|sanitize}" />
77 {foreach item=oWidget from=$save_fields} 77 {foreach item=oWidget from=$save_fields}
78 {$oWidget->render()} 78 {$oWidget->render()}
79 {/foreach} 79 {/foreach}
templates/kt3/fields/lookup.smarty
  View file @a381add
@@ -10,10 +10,10 @@ @@ -10,10 +10,10 @@
10 {else} 10 {else}
11 <p class="errorMessage"></p> 11 <p class="errorMessage"></p>
12 {/if} 12 {/if}
13 - 13 +
14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}> 14 <select name="{$name}" {if $has_id}id="{$id}"{/if} {if $options.multi}multiple="true"{/if} {if $options.size}size="{$options.size}"{/if}>
15 {foreach item=lookup key=lookup_key from=$options.vocab} 15 {foreach item=lookup key=lookup_key from=$options.vocab}
16 - <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup}</option> 16 + <option value="{$lookup_key}" {if ($value == $lookup_key)}selected="selected"{/if}>{$lookup|sanitize}</option>
17 {/foreach} 17 {/foreach}
18 </select> 18 </select>
19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" /> 19 <input type="hidden" name="kt_core_fieldsets_expect[{$name}]" value ="1" />
templates/kt3/minimal_page.smarty
  View file @a381add
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html> 3 <html>
4 <head> 4 <head>
5 - <title>{$page->title} | {$page->systemName}</title> 5 + <title>{$page->title|sanitize} | {$page->systemName}</title>
6 6
7 <!-- CSS Files. --> 7 <!-- CSS Files. -->
8 {foreach item=sResourceURL from=$page->getCSSResources()} 8 {foreach item=sResourceURL from=$page->getCSSResources()}
templates/kt3/portlets/search_portlet.smarty
  View file @a381add
@@ -9,7 +9,7 @@ @@ -9,7 +9,7 @@
9 <ul class="actionlist"> 9 <ul class="actionlist">
10 {foreach item=oSearch from=$saved_searches} 10 {foreach item=oSearch from=$saved_searches}
11 <li> 11 <li>
12 -{if ($oSearch->getUserId())}<a class="ktInline ktAction ktDelete" href="{"booleanSearch"|generateControllerUrl}&qs[action]=deleteSearch&qs[fSavedSearchId]={$oSearch->getId()}&qs[fFolderId]={$folder_id}&qs[fDocumentId]={$document_id}">{i18n}Delete{/i18n}</a>{/if}<a href="{"booleanSearch"|generateControllerUrl}&qs[action]=performSearch&qs[fSavedSearchId]={$oSearch->getId()}">{$oSearch->getName()}</a> 12 +{if ($oSearch->getUserId())}<a class="ktInline ktAction ktDelete" href="{"booleanSearch"|generateControllerUrl}&qs[action]=deleteSearch&qs[fSavedSearchId]={$oSearch->getId()}&qs[fFolderId]={$folder_id}&qs[fDocumentId]={$document_id}">{i18n}Delete{/i18n}</a>{/if}<a href="{"booleanSearch"|generateControllerUrl}&qs[action]=performSearch&qs[fSavedSearchId]={$oSearch->getId()}">{$oSearch->getName()|sanitize}</a>
13 </li> 13 </li>
14 {/foreach} 14 {/foreach}
15 </ul> 15 </ul>
templates/kt3/standard_page.smarty
  View file @a381add
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html> 3 <html>
4 <head> 4 <head>
5 - <title>{$page->title}{if ($page->secondary_title != null)} &mdash; {$page->secondary_title}{/if} | {$page->systemName}</title> 5 + <title>{$page->title|sanitize}{if ($page->secondary_title != null)} &mdash; {$page->secondary_title|sanitize}{/if} | {$page->systemName}</title>
6 6
7 <!-- CSS Files. --> 7 <!-- CSS Files. -->
8 8
templates/ktcore/action/checkout_final.smarty
  View file @a381add
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
3 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/Iter.js")} 3 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/Iter.js")}
4 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/DOM.js")} 4 {$context->oPage->requireJSResource("thirdpartyjs/MochiKit/DOM.js")}
5 5
6 -{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason}{/capture} 6 +{capture assign=sLocation}action=checkout_final&fDocumentId={$context->oDocument->getId()}&reason={$reason|escape:'url'}{/capture}
7 7
8 {capture assign=sJavascript} 8 {capture assign=sJavascript}
9 function doCheckout () {ldelim} 9 function doCheckout () {ldelim}
templates/ktcore/search/administration/savedsearches.smarty
  View file @a381add
@@ -31,7 +31,7 @@ newsletters, etc.) based on a category or fieldset value.{/i18n}&lt;/p&gt; @@ -31,7 +31,7 @@ newsletters, etc.) based on a category or fieldset value.{/i18n}&lt;/p&gt;
31 <tbody> 31 <tbody>
32 {foreach item=oSearch from=$saved_searches} 32 {foreach item=oSearch from=$saved_searches}
33 <tr> 33 <tr>
34 - <td>{$oSearch->getName()}</td> 34 + <td>{$oSearch->getName()|sanitize}</td>
35 {capture assign=iUserId}{$oSearch->getUserId()}{/capture} 35 {capture assign=iUserId}{$oSearch->getUserId()}{/capture}
36 <td>{if ($iUserId === '')}Global{else}{$context->_getUserName($iUserId)}{/if}</td> 36 <td>{if ($iUserId === '')}Global{else}{$context->_getUserName($iUserId)}{/if}</td>
37 <td><a href="{addQS}action=edit&fSavedSearchId={$oSearch->getId()}{/addQS}" class="ktAction ktEdit">{i18n}Edit{/i18n}</a></td> 37 <td><a href="{addQS}action=edit&fSavedSearchId={$oSearch->getId()}{/addQS}" class="ktAction ktEdit">{i18n}Edit{/i18n}</a></td>