From c8f3d23d30c018bc44189b38fa34a5fffb4edb22 Mon Sep 17 00:00:00 2001 From: acognet Date: Tue, 19 Oct 2021 11:08:47 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B04361=20-=20XSS=20in=20csvimport=20on=20d?= =?UTF-8?q?evelop?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pages/csvimport.php | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/pages/csvimport.php b/pages/csvimport.php index d3a8c7e5d..2cb3e0fb5 100644 --- a/pages/csvimport.php +++ b/pages/csvimport.php @@ -233,8 +233,7 @@ try { { $sClassName = utils::ReadParam('class_name', '', false, 'class'); // Class access right check for the import - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO) - { + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO) { throw new CoreException(Dict::S('UI:ActionNotAllowed')); } @@ -245,8 +244,7 @@ try { $sTextQualifier = utils::ReadParam('text_qualifier', '"', false, 'raw_data'); $bHeaderLine = (utils::ReadParam('header_line', '0') == 1); $iSkippedLines = 0; - if (utils::ReadParam('box_skiplines', '0') == 1) - { + if (utils::ReadParam('box_skiplines', '0') == 1) { $iSkippedLines = utils::ReadParam('nb_skipped_lines', '0'); } $aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data'); @@ -1150,7 +1148,7 @@ EOF $sCSVData = $oDocument->GetData(); } break; - + default: $sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data'); } @@ -1515,7 +1513,7 @@ EOF $oTabPaste->AddSubBlock($oFormPaste); - $sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data'); + $sCSVData = utils::ReadParam('csvdata', '', false, utils::ENUM_SANITIZATION_FILTER_STRING); $oTextarea = new TextArea('csvdata', $sCSVData, '', 120, 30); $oFieldPaste = FieldUIBlockFactory::MakeFromObject(Dict::S('UI:CSVImport:PasteData'), $oTextarea); $oFormPaste->AddSubBlock($oFieldPaste);