From ce77c65e6e1da1ae8b021e5bd8edccfde4be8ba8 Mon Sep 17 00:00:00 2001 From: Romain Quetiez Date: Wed, 17 Oct 2012 15:38:09 +0000 Subject: [PATCH] #565 Fixed security issues (XSS) SVN:trunk[2282] --- application/cmdbabstract.class.inc.php | 2 +- datamodels/1.x/itop-attachments/ajax.attachment.php | 3 ++- pages/ajax.render.php | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php index e50e37d35..959e497d2 100644 --- a/application/cmdbabstract.class.inc.php +++ b/application/cmdbabstract.class.inc.php @@ -1371,7 +1371,7 @@ abstract class cmdbAbstractObject extends CMDBObject implements iDisplay if (is_null($aAllowedValues)) { // Any value is possible, display an input box - $sHtml .= " \n"; + $sHtml .= " \n"; } else { diff --git a/datamodels/1.x/itop-attachments/ajax.attachment.php b/datamodels/1.x/itop-attachments/ajax.attachment.php index dd7285260..98a21504c 100644 --- a/datamodels/1.x/itop-attachments/ajax.attachment.php +++ b/datamodels/1.x/itop-attachments/ajax.attachment.php @@ -102,7 +102,8 @@ try } catch (Exception $e) { - echo $e->GetMessage(); + // note: transform to cope with XSS attacks + echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8'); IssueLog::Error($e->getMessage()); } ?> diff --git a/pages/ajax.render.php b/pages/ajax.render.php index fd168b6b7..72494880d 100644 --- a/pages/ajax.render.php +++ b/pages/ajax.render.php @@ -875,7 +875,8 @@ try } catch (Exception $e) { - echo $e->GetMessage(); + // note: transform to cope with XSS attacks + echo htmlentities($e->GetMessage(), ENT_QUOTES, 'utf-8'); echo "

Debug trace: 

".print_r($e->getTrace(), true)."

\n"; IssueLog::Error($e->getMessage()); }