composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°7730 - code hardening

Browse Source
This commit is contained in:
Eric Espie
2024-08-19 15:15:22 +02:00
parent 37cd12fb21
commit b7d14ca48e
3 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
application/displayblock.class.inc.php
View File

@@ -706,7 +706,7 @@ class DisplayBlock
if ($bDoSearch) if ($bDoSearch)
{ {
// Keep the table_id identifying this table if we're performing a search // Keep the table_id identifying this table if we're performing a search
$sTableId = utils::ReadParam('_table_id_', null, false, 'raw_data'); $sTableId = utils::ReadParam('_table_id_', null, false, utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER);
if ($sTableId != null) if ($sTableId != null)
{ {
$aExtraParams['table_id'] = $sTableId; $aExtraParams['table_id'] = $sTableId;

14
application/utils.inc.php
View File

@@ -113,6 +113,11 @@ class utils
* @since 2.7.10 3.0.0 * @since 2.7.10 3.0.0
*/ */
public const ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER = 'element_identifier'; public const ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER = 'element_identifier';
/**
* @var string For XML / HTML node id selector
* @since 3.1.2 3.2.1
*/
public const ENUM_SANITIZATION_FILTER_ELEMENT_ID_SELECTOR = 'element_id_selector';
/** /**
* @var string For variables names * @var string For variables names
* @since 3.0.0 * @since 3.0.0
@@ -497,8 +502,17 @@ class utils
} }
break; break;
// For XML / HTML node identifiers
case static::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER: case static::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER:
$retValue = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); $retValue = preg_replace('/[^a-zA-Z0-9_-]/', '', $value);
$retValue = filter_var($retValue, FILTER_VALIDATE_REGEXP,
['options' => ['regexp' => '/^[A-Za-z0-9][A-Za-z0-9_-]*$/']]);
break;
// For XML / HTML node id selector
case static::ENUM_SANITIZATION_FILTER_ELEMENT_ID_SELECTOR:
$retValue = filter_var($value, FILTER_VALIDATE_REGEXP,
['options' => ['regexp' => '/^[#\.][A-Za-z0-9][A-Za-z0-9_-]*$/']]);
break; break;
case static::ENUM_SANITIZATION_FILTER_VARIABLE_NAME: case static::ENUM_SANITIZATION_FILTER_VARIABLE_NAME:

10
pages/ajax.render.php
View File

@@ -782,12 +782,12 @@ try
$sClass = utils::ReadParam('className', '', false, 'class'); $sClass = utils::ReadParam('className', '', false, 'class');
$sRootClass = utils::ReadParam('baseClass', '', false, 'class'); $sRootClass = utils::ReadParam('baseClass', '', false, 'class');
$currentId = utils::ReadParam('currentId', ''); $currentId = utils::ReadParam('currentId', '');
$sTableId = utils::ReadParam('_table_id_', null, false, 'raw_data'); $sTableId = utils::ReadParam('_table_id_', null, false, utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER);
$sAction = utils::ReadParam('action', ''); $sAction = utils::ReadParam('action', '');
$sSelectionMode = utils::ReadParam('selection_mode', null, false, 'raw_data'); $sSelectionMode = utils::ReadParam('selection_mode');
$sResultListOuterSelector = utils::ReadParam('result_list_outer_selector', null, false, 'raw_data'); $sResultListOuterSelector = utils::ReadParam('result_list_outer_selector', null,false, utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER); // actually an Id not a selector
$scssCount = utils::ReadParam('css_count', null, false, 'raw_data'); $scssCount = utils::ReadParam('css_count', null,false,utils::ENUM_SANITIZATION_FILTER_ELEMENT_ID_SELECTOR);
$sTableInnerId = utils::ReadParam('table_inner_id', $sTableId, false, 'raw_data'); $sTableInnerId = utils::ReadParam('table_inner_id', null,false, utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER);
$oFilter = new DBObjectSearch($sClass); $oFilter = new DBObjectSearch($sClass);
$oSet = new CMDBObjectSet($oFilter); $oSet = new CMDBObjectSet($oFilter);