composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-21 01:28:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

🔒 N°1795 prevent XSS on some fields

Browse Source
This commit is contained in:
Pierre Goiffon
2018-11-23 17:58:50 +01:00
parent 44d7abac6e
commit d5568afc68
4 changed files with 38 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pages/ajax.render.php
View File

@@ -2228,7 +2228,12 @@ EOF
try
{
$token = utils::ReadParam('token', null);
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => "Export not found for token: '$token'"); // Fallback error, just in case
$sTokenForDisplay = utils::HtmlEntities($token);
$aResult = array( // Fallback error, just in case
'code' => 'error',
'percentage' => 100,
'message' => "Export not found for token: '$sTokenForDisplay'",
);
$data = '';
if ($token === null)
{
@@ -2303,11 +2308,11 @@ EOF
$oPage->add(json_encode($aResult));
} catch (BulkExportException $e)
{
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->GetLocalizedMessage());
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->GetLocalizedMessage()));
$oPage->add(json_encode($aResult));
} catch (Exception $e)
{
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => $e->getMessage());
$aResult = array('code' => 'error', 'percentage' => 100, 'message' => utils::HtmlEntities($e->getMessage()));
$oPage->add(json_encode($aResult));
}
break;