From 1e634a8bba0ab88f1d2911d4d23ef374c25d52b1 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Wed, 23 Sep 2020 17:17:05 +0200 Subject: [PATCH 1/2] =?UTF-8?q?N=C2=B03332=20Security=20hardening?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- js/breadcrumb.js | 27 ++++++++++++++------------- js/utils.js | 20 ++++++++++++++++++-- 2 files changed, 32 insertions(+), 15 deletions(-) diff --git a/js/breadcrumb.js b/js/breadcrumb.js index e8fc88a6f..ab0941d86 100644 --- a/js/breadcrumb.js +++ b/js/breadcrumb.js @@ -59,24 +59,25 @@ $(function() var oEntry = aBreadCrumb[iEntry]; if (oEntry['label'].length > 0) { - var sIconSpec = ''; - if (oEntry['icon'].length > 0) - { - sIconSpec = ''; - } - var sTitle = oEntry['description']; + var sIconSpec = ''; + if (oEntry['icon'].length > 0) { + sIconSpec = ''; + } + + var sTitle = oEntry['description'], + sLabel = oEntry['label']; if (sTitle.length == 0) { sTitle = oEntry['label']; } - if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length - 1)) - { + sTitle = SanitizeHtml(sTitle); + sLabel = SanitizeHtml(sLabel); + + if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) { // Last entry is the current page - sBreadCrumbHtml += '
'+sIconSpec+''+oEntry['label']+'
'; - } - else - { + sBreadCrumbHtml += '
'+sIconSpec+''+sLabel+'
'; + } else { var sSanitizedUrl = StripArchiveArgument(oEntry['url']); - sBreadCrumbHtml += '
'+sIconSpec+''+oEntry['label']+'
'; + sBreadCrumbHtml += '
'+sIconSpec+''+sLabel+'
'; } } } diff --git a/js/utils.js b/js/utils.js index be52a81d2..52f446a4c 100644 --- a/js/utils.js +++ b/js/utils.js @@ -669,6 +669,23 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) { ); } +/** + * @param sValue value to escape + * @returns {string} sanitized value, ready to insert in the DOM without XSS risk + * + * @since 2.6.5, 2.7.2, 2.8.0 N°3332 + * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content + */ +function SanitizeHtml(sValue) { + return (sValue+'') + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(/\//g, '/'); +} + // Very simple equivalent to format: placeholders are %1$s %2$d ... function Format() { var args = []; @@ -676,8 +693,7 @@ function Format() { if (arguments[0] instanceof Array) { str = arguments[0][0].toString(); args = arguments[0]; - } - else { + } else { str = arguments[0].toString(); if (arguments.length > 1) { var t = typeof arguments[1]; From 45e366745d641c8e7e28f51028ff16a24f858e19 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Thu, 24 Sep 2020 17:34:57 +0200 Subject: [PATCH 2/2] =?UTF-8?q?N=C2=B03333=20Security=20hardening?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/userrights.class.inc.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index 5c746bbb1..12a936787 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -1343,9 +1343,8 @@ class UserRights // The bug has been fixed in PHP 7.2, but in case session_regenerate_id() // fails we just silently ignore the error and keep the same session id... $old_error_handler = set_error_handler(array(__CLASS__, 'VoidErrorHandler')); - session_regenerate_id(); - if ($old_error_handler !== null) - { + session_regenerate_id(true); + if ($old_error_handler !== null) { set_error_handler($old_error_handler); } }