composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-01 22:48:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

More fixes for Trac#446: XSS vulnerabilities with vectors containing double quotes

Browse Source 
SVN:trunk[1563]
This commit is contained in:
Denis Flaven
2011-09-08 13:21:32 +00:00
parent 205e80f8a5
commit c4db9cd84e
17 changed files with 54 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
application/displayblock.class.inc.php
View File

@@ -1034,7 +1034,7 @@ class HistoryBlock extends DisplayBlock
$aValues = array();
foreach($aChanges as $aChange)
{
$aValues[] = array('date' => $aChange['date'], 'userinfo' => $aChange['userinfo'], 'log' => "<ul><li>".implode('</li><li>', $aChange['log'])."</li></ul>");
$aValues[] = array('date' => $aChange['date'], 'userinfo' => htmlentities($aChange['userinfo']), 'log' => "<ul><li>".implode('</li><li>', $aChange['log'])."</li></ul>");
}
$sHtml .= $oPage->GetTable($aAttribs, $aValues);
return $sHtml;
@@ -1135,7 +1135,7 @@ class MenuBlock extends DisplayBlock
$this->AddMenuSeparator($aActions);
// Static menus: Email this page & CSV Export
$sUrl = ApplicationContext::MakeObjectUrl($sClass, $id);
$aActions['UI:Menu:EMail'] = array ('label' => Dict::S('UI:Menu:EMail'), 'url' => "mailto:?subject=".$oObj->GetName()."&body=".urlencode($sUrl));
$aActions['UI:Menu:EMail'] = array ('label' => Dict::S('UI:Menu:EMail'), 'url' => "mailto:?subject=".urlencode($oObj->GetRawName())."&body=".urlencode($sUrl));
$aActions['UI:Menu:CSVExport'] = array ('label' => Dict::S('UI:Menu:CSVExport'), 'url' => "{$sRootUrl}pages/$sUIPage?operation=search&filter=$sFilter&format=csv{$sContext}");
}
$this->AddMenuSeparator($aActions);