From dda53eead84ea1f5fd0136d69ad95c617a84cd6a Mon Sep 17 00:00:00 2001 From: conradverm Date: Fri, 13 Jul 2007 15:05:16 +0000 Subject: [PATCH] KTS-2178 "cross site scripting" Updated. --- plugins/rssplugin/KTrss.inc.php | 166 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------------------------- 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/plugins/rssplugin/KTrss.inc.php b/plugins/rssplugin/KTrss.inc.php index fd406c3..1cfb75f 100644 --- a/plugins/rssplugin/KTrss.inc.php +++ b/plugins/rssplugin/KTrss.inc.php @@ -4,7 +4,7 @@ * License Version 1.1.2 ("License"); You may not use this file except in * compliance with the License. You may obtain a copy of the License at * http://www.knowledgetree.com/KPL - * + * * Software distributed under the License is distributed on an "AS IS" * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. * See the License for the specific language governing rights and @@ -15,9 +15,9 @@ * (ii) the KnowledgeTree copyright notice * in the same form as they appear in the distribution. See the License for * requirements. - * + * * The Original Code is: KnowledgeTree Open Source - * + * * The Initial Developer of the Original Code is The Jam Warehouse Software * (Pty) Ltd, trading as KnowledgeTree. * Portions created by The Jam Warehouse Software (Pty) Ltd are Copyright @@ -52,7 +52,7 @@ class KTrss{ $sQuery = "SELECT id, url, title FROM plugin_rss WHERE user_id = ?"; $aParams = array($iUserId); $aFeeds = DBUtil::getResultArray(array($sQuery, $aParams)); - + if (PEAR::isError($aFeeds)) { // XXX: log error return false; @@ -61,7 +61,7 @@ class KTrss{ return $aFeeds; } } - + // Gets full listing of data of documents and folders subscribed to function getInternalFeed($iUserId){ $documents=KTrss::getDocuments($iUserId); @@ -75,13 +75,13 @@ class KTrss{ } return $response; } - + // Get list of document subscriptions function getDocumentList($iUserId){ $sQuery = "SELECT document_id as id FROM document_subscriptions WHERE user_id = ?"; $aParams = array($iUserId); $aDocumentList = DBUtil::getResultArrayKey(array($sQuery, $aParams), 'id'); - + if (PEAR::isError($aDocumentList)) { // XXX: log error return false; @@ -90,13 +90,13 @@ class KTrss{ return $aDocumentList; } } - + // Get list of folder subscriptions function getFolderList($iUserId){ $sQuery = "SELECT folder_id as id, is_tree as tree FROM folder_subscriptions WHERE user_id = ?"; $aParams = array($iUserId); $aFolderList = DBUtil::getResultArray(array($sQuery, $aParams)); - + if (PEAR::isError($aFolderList)) { // XXX: log error return false; @@ -105,14 +105,14 @@ class KTrss{ return $aFolderList; } } - + // Get data for all documents subscribed to function getDocuments($iUserId){ $aDList = KTrss::getDocumentList($iUserId); if($aDList){ foreach($aDList as $document_id){ $document = KTrss::getOneDocument($document_id, $iUserId); - if($document){ + if($document){ $aDocuments[] = $document; } } @@ -125,7 +125,7 @@ class KTrss{ return $aDocuments; } } - + // Get data for all folders subscribed to function getFolders($iUserId){ $aFList = KTrss::getFolderList($iUserId); @@ -139,7 +139,7 @@ class KTrss{ } } } - + if (PEAR::isError($aFolders)) { // XXX: log error return false; @@ -148,13 +148,13 @@ class KTrss{ return $aFolders; } } - + function getChildrenFolderTransactions($iParentFolderId, $depth = '1'){ if($depth == '1'){ $sQuery = "SELECT id from folders WHERE parent_folder_ids LIKE ?"; $aParams = array('%'.$iParentFolderId); }//else - + $aFolderList = DBUtil::getResultArray(array($sQuery, $aParams)); if (PEAR::isError($aFolderList)) { // XXX: log error @@ -162,7 +162,7 @@ class KTrss{ } if ($aFolderList) { foreach($aFolderList as $folderElement){ - $folder_id = $folderElement['id']; + $folder_id = $folderElement['id']; $aFolderTransactions = array_merge($aFolderTransactions, KTrss::getFolderTransactions($folder_id)); } } @@ -170,13 +170,13 @@ class KTrss{ return $aFolderTransactions; } } - + function getChildrenDocumentTransactions($iParentFolderId, $depth = '1'){ if($depth == '1'){ $sQuery = "SELECT id from documents WHERE parent_folder_ids LIKE ? "; $aParams = array('%'.$iParentFolderId); }//else - + $aDocumentList = DBUtil::getResultArray(array($sQuery, $aParams)); if (PEAR::isError($aDocumentList)) { @@ -185,7 +185,7 @@ class KTrss{ } if ($aDocumentList) { foreach($aDocumentList as $documentElement){ - $document_id = $documentElement['id']; + $document_id = $documentElement['id']; $aDocumentTransactions = array_merge($aDocumentTransactions, KTrss::getDocumentTransactions($document_id)); } } @@ -193,19 +193,19 @@ class KTrss{ return $aDocumentTransactions; } } - + // get information on document function getOneDocument($iDocumentId, $iUserId){ $aDData = KTrss::getDocumentData($iUserId, $iDocumentId); $aDTransactions = KTrss::getDocumentTransactions($iDocumentId); if($aDData){ $aDData['itemType'] = 'document'; - + // create mime info $aMimeInfo = KTrss::getMimeTypeInfo($iUserId, $iDocumentId); $aDData['mimeTypeFName'] = $aMimeInfo['typeFName']; $aDData['mimeTypeIcon'] = $aMimeInfo['typeIcon']; - + $aDocument[] = $aDData; $aDocument[] = $aDTransactions; } @@ -216,33 +216,33 @@ class KTrss{ return $aDocument; } } - + // get information for folder function getOneFolder($iFolderId){ $aFData = KTrss::getFolderData($iFolderId); $aFTransactions = array_merge(KTrss::getChildrenFolderTransactions($iFolderId), KTrss::getFolderTransactions($iFolderId)); $aFTransactions = array_merge($aFTransactions, KTrss::getChildrenDocumentTransactions($iFolderId)); - + $code = 'if (strtotime($a[datetime]) == strtotime($b[datetime])){ return 0; } return (strtotime($a[datetime]) > strtotime($b[datetime])) ? -1 : 1;'; - + $compare = create_function('$a,$b', $code); - + usort($aFTransactions, $compare); for($i=0; $i<4; $i++){ $aFTransactions_new[] = $aFTransactions[$i]; } $aFTransactions = $aFTransactions_new; - + if($aFData){ $aFData['itemType'] = 'folder'; - + // create mime info $aFData['mimeTypeFName'] = 'Folder'; $aFData['mimeTypeIcon'] = KTrss::getFolderIcon(); - + $aFolder[] = $aFData; $aFolder[] = $aFTransactions; $aFolderBox[] = $aFolder; @@ -254,7 +254,7 @@ class KTrss{ return $aFolder; } } - + // Takes in an array as a parameter and returns rss2.0 compatible xml function arrayToXML($aItems){ // Build path to host @@ -282,7 +282,7 @@ class KTrss{ $sTypeSelect = 'document.transactionhistory&fDocumentId'; } $feed .= "\n" . - "".$aItems[0][0][name]."\n" . + "".htmlentities($aItems[0][0][name],ENT_QUOTES, 'UTF-8')."\n" . "".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0]['id']."\n" . "\n" . "<table border='0' width='90%'>\n". @@ -291,14 +291,14 @@ class KTrss{ "<a href='".$hostPath."action.php?kt_path_info=ktcore.actions.".$sTypeSelect."=".$aItems[0][0][id]."' ><img src='".$aItems[0][mimeTypeIcon]."' align='left' height='16px' width='16px' alt='' border='0' /></a>" . "</td>\n". "<td align='left'> ".$aItems[0][mimeTypeFName]."</td>\n". - "</tr>\n". + "</tr>\n". "<tr>\n". "<td colspan='2'>\n". ucfirst($aItems[0]['itemType'])." Information (ID: ".$aItems[0][0][id].")</>\n". "<hr>\n". "<table width='95%'>\n". "<tr>\n". - "<td>Filename: ".$aItems[0][0][filename]."</td>\n". + "<td>Filename: ".str_replace('&','&',htmlentities($aItems[0][0][filename],ENT_QUOTES, 'UTF-8'))."</td>\n". "<td>\n". "</tr>\n". "<tr>\n". @@ -326,11 +326,11 @@ class KTrss{ foreach($aItems[1] as $item){ $feed .= "<tr>\n". "<td>".$item[type]." name:</td>\n". - "<td>".$item[name]."</td>\n". + "<td>".str_replace('&','&',htmlentities($item[name],ENT_QUOTES, 'UTF-8'))."</td>\n". "</tr>\n". "<tr>\n". "<td>Path:</td>\n". - "<td>".$item[fullpath]."</td>\n". + "<td>".str_replace('&','&',htmlentities($item[fullpath],ENT_QUOTES, 'UTF-8'))."</td>\n". "</tr>\n". "<tr>\n". "<td>Transaction:</td>\n". @@ -338,7 +338,7 @@ class KTrss{ "</tr>\n". "<tr>\n". "<td>Comment:</td>\n". - "<td>".$item[comment]."</td>\n". + "<td>".str_replace('&','&',htmlentities($item[comment],ENT_QUOTES, 'UTF-8'))."</td>\n". "</tr>\n". "<tr>\n";if($item[version]){ $feed .= "<td>Version:</td>\n". @@ -354,7 +354,7 @@ class KTrss{ "</tr>\n". "<tr>\n". "<td colspan='2'><hr width='100' align='left'></td>\n". - "</tr>\n";} + "</tr>\n";} $feed .= "</table>\n". "</td>\n". "</tr>\n". @@ -364,10 +364,10 @@ class KTrss{ } $feed .= "\n" . "\n"; - - return $feed; + + return $feed; } - + // Takes in an array as a parameter and returns rss2.0 compatible xml function errorToXML($sError){ // Build path to host @@ -394,21 +394,21 @@ class KTrss{ "\n"; $feed .= "\n" . "\n"; - - return $feed; + + return $feed; } - + // Delete feed function function deleteFeed($iFeedId){ $res = DBUtil::autoDelete('plugin_rss', $iFeedId); } - + // Get title for external feed function getExternalFeedTitle($iFeedId){ $sQuery = "SELECT title FROM plugin_rss WHERE id = ?"; $aParams = array($iFeedId); $sFeedTitle = DBUtil::getOneResultKey(array($sQuery, $aParams), 'title'); - + if (PEAR::isError($sFeedTitle)) { // XXX: log error return false; @@ -417,13 +417,13 @@ class KTrss{ return $sFeedTitle; } } - + // Get url for external feed function getExternalFeedUrl($iFeedId){ $sQuery = "SELECT url FROM plugin_rss WHERE id = ?"; $aParams = array($iFeedId); $sFeedUrl = DBUtil::getOneResultKey(array($sQuery, $aParams), 'url'); - + if (PEAR::isError($sFeedUrl)) { // XXX: log error return false; @@ -432,16 +432,16 @@ class KTrss{ return $sFeedUrl; } } - + // Update external feed data function updateFeed($iFeedId, $sFeedTitle, $sFeedUrl){ $sQuery = "UPDATE plugin_rss SET title=?, url=? WHERE id=?"; $aParams = array($sFeedTitle, $sFeedUrl, $iFeedId); $res = DBUtil::runQuery(array($sQuery, $aParams)); - + return $res; } - + // Create new external feed function createFeed($sFeedTitle, $sFeedUrl, $iUserId){ $aParams = array( @@ -453,59 +453,59 @@ class KTrss{ return $res; } - + // Function to validate that a user has permissions for a specific document function validateDocumentPermissions($iUserId, $iDocumentId){ // check if user id is in session. If not, set it if(!isset($_SESSION["userID"])){ - $_SESSION['userID'] = $iUserId; + $_SESSION['userID'] = $iUserId; } // get document object $oDocument =& Document::get($iDocumentId); if (PEAR::isError($oDocument)) { return false; } - + // check permissions for document if(Permission::userHasDocumentReadPermission($oDocument)){ - return true; + return true; }else{ return false; } } - + // Function to validate that a user has permissions for a specific folder function validateFolderPermissions($iUserId, $iFolderId){ // check if user id is in session. If not, set it if(!isset($_SESSION["userID"])){ - $_SESSION['userID'] = $iUserId; + $_SESSION['userID'] = $iUserId; } // get folder object $oFolder = Folder::get($iFolderId); if (PEAR::isError($oFolder)) { return false; } - + // check permissions for folder if(Permission::userHasFolderReadPermission($oFolder)){ - return true; + return true; }else{ return false; } } - + // get icon link for rss function getRssLinkIcon(){ // built server path global $default; $sHostPath = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/"; - + // create image $icon = "RSS"; - + return $icon; } - + // get rss link for a document/folder function getRssLink($iItemId, $sItemType){ $item = strToLower($sItemType); @@ -514,34 +514,34 @@ class KTrss{ }else if($item == 'document'){ $sItemParameter = '?docId'; } - + // built server path global $default; $sHostPath = "http" . ($default->sslEnabled ? "s" : "") . "://" . $_SERVER['HTTP_HOST']; - + // build link $sLink = $sHostPath.KTBrowseUtil::buildBaseUrl('rss').$sItemParameter.'='.$iItemId; - + return $sLink; } - + // get rss icon link function getImageLink($iItemId, $sItemType){ return "".KTrss::getRssLinkIcon().""; } - + // get the mime type id for a document function getDocumentMimeTypeId($iUserId, $iDocumentId){ if(!isset($_SESSION["userID"])){ - $_SESSION['userID'] = $iUserId; + $_SESSION['userID'] = $iUserId; } // get document object $oDocument =& Document::get($iDocumentId); - + $docMime = $oDocument->getMimeTypeID(); return $docMime; } - + // get mime information for a document function getMimeTypeInfo($iUserId, $iDocumentId){ global $default; @@ -549,27 +549,27 @@ class KTrss{ $mimeinfo['typeName'] = KTMime::getMimeTypeName($mimeinfo['typeId']); // mime type name $mimeinfo['typeFName'] = KTMime::getFriendlyNameForString($mimeinfo['typeName']); // mime type friendly name $mimeinfo['typeIcon'] = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/resources/mimetypes/".KTMime::getIconPath($mimeinfo['typeId']).".png"; //icon path - + return $mimeinfo; } - + // get the default folder icon function getFolderIcon(){ global $default; return $mimeinfo['typeIcon'] = "http" . ($default->sslEnabled ? "s" : "") . "://".$_SERVER['HTTP_HOST']."/".$GLOBALS['KTRootUrl']."/thirdparty/icon-theme/16x16/mimetypes/x-directory-normal.png"; //icon path } - + // get a document information function getDocumentData($iUserId, $iDocumentId){ if(!isset($_SESSION["userID"])){ - $_SESSION['userID'] = $iUserId; + $_SESSION['userID'] = $iUserId; } // get document object $oDocument =& Document::get($iDocumentId); - + $cv = $oDocument->getContentVersionId(); $mv = $oDocument->getMetadataVersionId(); - + $sQuery = "SELECT dcv.document_id AS id, dmver.name AS name, dcv.filename AS filename, c.name AS author, o.name AS owner, dtl.name AS type, dwfs.name AS workflow_status " . "FROM documents AS d LEFT JOIN document_content_version AS dcv ON d.id = dcv.document_id " . "LEFT JOIN users AS o ON d.owner_id = o.id " . @@ -582,14 +582,14 @@ class KTrss{ "AND dmver.id = ? " . "AND dcv.id = ? " . "LIMIT 1"; - + $aParams = array($iDocumentId, $mv, $cv); $aDocumentData = DBUtil::getResultArray(array($sQuery, $aParams)); if($aDocumentData){ return $aDocumentData; } } - + // get a folder information function getFolderData($iFolderId){ $sQuery = "SELECT f.id AS id, f.name AS name, f.name AS filename, c.name AS author, o.name AS owner, f.description AS description " . @@ -598,14 +598,14 @@ class KTrss{ "LEFT JOIN users AS c ON f.creator_id = c.id " . "WHERE f.id = ? " . "LIMIT 1"; - + $aParams = array($iFolderId); $aFolderData = DBUtil::getResultArray(array($sQuery, $aParams)); if($aFolderData){ return $aFolderData; } } - + // get a listing of the latest 3 transactions for a document function getDocumentTransactions($iDocumentId){ $sQuery = "SELECT DT.datetime AS datetime, 'Document' AS type, DMV.name, D.full_path AS fullpath, DTT.name AS transaction_name, U.name AS user_name, DT.version AS version, DT.comment AS comment " . @@ -616,14 +616,14 @@ class KTrss{ "WHERE DT.document_id = ? " . "ORDER BY DT.datetime DESC " . "LIMIT 4"; - + $aParams = array($iDocumentId); $aDocumentTransactions = DBUtil::getResultArray(array($sQuery, $aParams)); if($aDocumentTransactions){ return $aDocumentTransactions; } } - + // Get a listing of the latest 3 transactions for a folder function getFolderTransactions($iFolderId){ $sQuery = "SELECT FT.datetime AS datetime, 'Folder' AS type, F.name, F.full_path AS fullpath, DTT.name AS transaction_name, U.name AS user_name, FT.comment AS comment " . @@ -633,7 +633,7 @@ class KTrss{ "WHERE FT.folder_id = ? " . "ORDER BY FT.datetime DESC " . "LIMIT 4"; - + $aParams = array($iFolderId); $aFolderTransactions = DBUtil::getResultArray(array($sQuery, $aParams)); if($iFolderId){ -- libgit2 0.21.4