composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-21 01:28:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

More fixes for Trac#446: XSS vulnerabilities with vectors containing double quotes

Browse Source 
SVN:trunk[1563]
This commit is contained in:
Denis Flaven
2011-09-08 13:21:32 +00:00
parent 205e80f8a5
commit c4db9cd84e
17 changed files with 54 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
application/ui.extkeywidget.class.inc.php
View File

@@ -133,7 +133,7 @@ class UIExtKeyWidget
$aAllowedValues = array();
while($oObj = $oAllowedValues->Fetch())
{
$aAllowedValues[$oObj->GetKey()] = $oObj->Get('friendlyname');
$aAllowedValues[$oObj->GetKey()] = $oObj->GetName();
}
$sHTMLValue = $oPage->GetRadioButtons($aAllowedValues, $value, $this->iId, "{$sAttrFieldPrefix}{$sFieldName}", $bMandatory, $bVertical, $sValidationField);
$aEventsList[] ='change';
@@ -159,7 +159,7 @@ class UIExtKeyWidget
while($oObj = $oAllowedValues->Fetch())
{
$key = $oObj->GetKey();
$display_value = $oObj->Get('friendlyname');
$display_value = $oObj->GetName();
if (($oAllowedValues->Count() == 1) && ($bMandatory == 'true') )
{
@@ -326,11 +326,11 @@ EOF
{
throw new Exception('Implementation: null value for allowed values definition');
}
$oValuesSet = new ValueSetObjects($sFilter);
$oValuesSet = new ValueSetObjects($sFilter, 'friendlyname'); // Bypass GetName() to avoid the encoding by htmlentities
$aValues = $oValuesSet->GetValues(array('this' => $oObj), $sContains);
foreach($aValues as $sKey => $sFriendlyName)
{
$oP->add(trim($sFriendlyName)."|".$sKey."\n");
$oP->add(trim($sFriendlyName)."\t".$sKey."\n");
}
}