Skip to content

Commit

Permalink
bugfix: avoid XSS in ticket and event forms (LMS #1910)
Browse files Browse the repository at this point in the history
  • Loading branch information
@chilek
chilek committed Jan 17, 2021
1 parent 9a32448 commit 01a8b77
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 30 deletions.
4 changes: 2 additions & 2 deletions lib/LMSManagers/LMSEventManager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ public function EventAdd($event)
{
$args = array(
'title' => $event['title'],
'description' => $event['description'],
'description' => Utils::removeInsecureHtml($event['description']),
'date' => $event['date'],
'begintime' => $event['begintime'],
'enddate' => $event['enddate'],
Expand Down Expand Up @@ -89,7 +89,7 @@ public function EventUpdate($event)
{
$args = array(
'title' => $event['title'],
'description' => $event['description'],
'description' => Utils::removeInsecureHtml($event['description']),
'date' => $event['date'],
'begintime' => $event['begintime'],
'enddate' => $event['enddate'],
Expand Down
9 changes: 7 additions & 2 deletions lib/LMSManagers/LMSHelpdeskManager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1019,6 +1019,11 @@ public function TicketMessageAdd($message, $files = null)

$createtime = isset($message['createtime']) ? $message['createtime'] : time();

$body = preg_replace("/\r/", "", $message['body']);
if ($message['contenttype'] == 'text/html') {
$body = Utils::removeInsecureHtml($body);
}

$this->db->Execute(
'INSERT INTO rtmessages (ticketid, createtime, subject, body, userid, customerid, mailfrom,
inreplyto, messageid, replyto, headers, type, phonefrom, contenttype)
Expand All @@ -1027,7 +1032,7 @@ public function TicketMessageAdd($message, $files = null)
$message['ticketid'],
$createtime,
isset($message['subject']) ? $message['subject'] : '',
preg_replace("/\r/", "", $message['body']),
$body,
isset($message['userid']) ? $message['userid'] : Auth::GetCurrentUser(),
empty($message['customerid']) ? null : $message['customerid'],
isset($message['mailfrom']) ? $message['mailfrom'] : '',
Expand Down Expand Up @@ -1102,7 +1107,7 @@ public function TicketAdd($ticket, $files = null)
if ($ticket['contenttype'] == 'text/plain') {
$body = str_replace("\r", "", $ticket['body']);
} else {
$body = $ticket['body'];
$body = Utils::removeInsecureHtml($ticket['body']);
}

$this->db->Execute('INSERT INTO rtmessages (ticketid, customerid, createtime,
Expand Down
20 changes: 10 additions & 10 deletions templates/default/event/eventinfo.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ <H1>{$layout.pagetitle}</H1>
{trans("Title:")}
</TD>
<TD class="bold">
{$event.title}
{$event.title|escape}
</TD>
</TR>
</THEAD>
Expand Down Expand Up @@ -129,7 +129,7 @@ <H1>{$layout.pagetitle}</H1>
<B>{trans("Last modified by:")}</B>
</TD>
<TD class="nobr">
<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername}</A>
<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername|escape}</A>
</TD>
</TR>
{/if}
Expand All @@ -155,7 +155,7 @@ <H1>{$layout.pagetitle}</H1>
<B>{trans("Closed by")}:</B>
</TD>
<TD class="nobr">
<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername}</A>
<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername|escape}</A>
</TD>
</TR>
{/if}
Expand Down Expand Up @@ -192,18 +192,18 @@ <H1>{$layout.pagetitle}</H1>
</TD>
<TD class="nobr">
{if $event.netnode_name}
{icon name="netnode"} <a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name}</a>
{icon name="netnode"} <a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name|escape}</a>
{if !empty($event.netnode_location)}
<br>{icon name="location"} {$event.netnode_location}{/if}
<br>{icon name="location"} {$event.netnode_location|escape}{/if}
{else}
{if $event.customername}
{icon name="customer"} <A href="?m=customerinfo&amp;id={$event.customerid}">{$event.customername|truncate:"30":"...":true}</A><br>
{if !empty($event.address_id)}
{icon name="location"} {$event.location}
{icon name="location"} {$event.location|escape}
{elseif !empty($event.nodeid)}
<a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation}</a>
<a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation|escape}</a>
{else}
{icon name="location"} {$event.customerlocation}
{icon name="location"} {$event.customerlocation|escape}
{/if}
{/if}
{/if}
Expand All @@ -218,7 +218,7 @@ <H1>{$layout.pagetitle}</H1>
{trans("Node:")}
</TD>
<TD class="nobr">
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location}</a>
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location|escape}</a>
</TD>
</TR>
{/if}
Expand All @@ -234,7 +234,7 @@ <H1>{$layout.pagetitle}</H1>
<TABLE WIDTH="95%" CELLPADDING="5">
<TR>
<TD class="fall superlight">
{$event.note|replace:"\n":"<BR>"}
{$event.note|escape|replace:"\n":"<BR>"}
</TD>
</TR>
</TABLE>
Expand Down
22 changes: 11 additions & 11 deletions templates/default/event/eventinfoshort.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
{trans("Title:")}
</TD>
<TD class="bold">
{$event.title}
{$event.title|escape}
</TD>
</TR>
</THEAD>
Expand Down Expand Up @@ -130,7 +130,7 @@
{trans("Last modified by:")}
</TD>
<TD class="nobr">
<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername}</A>
<A href="?m=userinfo&id={$event.moduserid}">{$event.modusername|escape}</A>
</TD>
</TR>
{/if}
Expand All @@ -156,7 +156,7 @@
{trans("Closed by")}:
</TD>
<TD class="nobr">
<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername}</A>
<A href="?m=userinfo&id={$event.closeduserid}">{$event.closedusername|escape}</A>
</TD>
</TR>
{/if}
Expand All @@ -182,7 +182,7 @@
{trans("Customer:")}
</TD>
<TD class="nobr">
<A href="?m=customerinfo&id={$event.customerid}">{$event.customername}</A>
<A href="?m=customerinfo&id={$event.customerid}">{$event.customername|escape}</A>
</TD>
</TR>
{/if}
Expand All @@ -196,16 +196,16 @@
</TD>
<TD class="nobr">
{if $event.netnode_name}
{icon name="netnode" class="fa-fw"}<a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name}</a>
{if !empty($event.netnode_location)}<br>{$event.netnode_location}{/if}
{icon name="netnode" class="fa-fw"}<a href="?m=netnodeinfo&id={$event.netnode_id}">{$event.netnode_name|escape}</a>
{if !empty($event.netnode_location)}<br>{$event.netnode_location|escape}{/if}
{else}
{if $event.customername}
{if !empty($event.address_id)}
{$event.location}
{$event.location|escape}
{elseif !empty($event.nodeid)}
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.nodelocation}</a>
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.nodelocation|escape}</a>
{else}
{$event.customerlocation}
{$event.customerlocation|escape}
{/if}
{/if}
{/if}
Expand All @@ -221,7 +221,7 @@
{trans("Node:")}
</TD>
<TD class="nobr">
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location}</a>
<a href="?m=nodeinfo&id={$event.nodeid}">{$event.node_name}: {$event.node_location|escape}</a>
</TD>
</TR>
{/if}
Expand All @@ -235,7 +235,7 @@
</TD>
<TD>
<div class="fall superlight eventinfoshort-textbox">
{$event.note|replace:"\n":"<BR>"}
{$event.note|escape|replace:"\n":"<BR>"}
</div>
</TD>
</TR>
Expand Down
10 changes: 5 additions & 5 deletions templates/default/event/eventlistboxrow.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@
{/if}
</TD>
<TD data-target-url="?m=eventinfo&id={$event.id}">
<a href="?m=eventinfo&id={$event.id}"><i class="lms-ui-icon-timetable lms-ui-tooltip-eventinfoshort" data-resourceid="{$event.id}"></i> <span class="bold" {if !$event.closed}style="color:black"{/if}>{$event.title}</span></a>
<a href="?m=eventinfo&id={$event.id}"><i class="lms-ui-icon-timetable lms-ui-tooltip-eventinfoshort" data-resourceid="{$event.id}"></i> <span class="bold" {if !$event.closed}style="color:black"{/if}>{$event.title|escape}</span></a>
{if !ConfigHelper::checkConfig('phpui.timetable_hide_description')}{if $event.description != ''}<br>{icon name="description"} {$event.description}{/if}{/if}
{if $event.note != ''}<span{if !$event.closed} style="color: red;"{/if}><br>{icon name="note"} {$event.note}</span>{/if}
{if $event.note != ''}<span{if !$event.closed} style="color: red;"{/if}><br>{icon name="note"} {$event.note|escape}</span>{/if}
</TD>
<TD class="nobr" colspan="2" data-target-url="?m=eventinfo&id={$event.id}">
{if $event.netnode_name}
Expand All @@ -50,11 +50,11 @@
{if $event.customername}
{icon name="customer"} <A href="?m=customerinfo&amp;id={$event.customerid}">{$event.customername|truncate:"30":"...":true}</A><br>
{if !empty($event.address_id)}
{icon name="location"} {$event.location}
{icon name="location"} {$event.location|escape}
{elseif !empty($event.nodeid)}
<a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation}</a>
<a href="?m=nodeinfo&id={$event.nodeid}"> {$event.nodelocation|escape}</a>
{else}
{icon name="location"} {$event.customerlocation}
{icon name="location"} {$event.customerlocation|escape}
{/if}
{/if}
{/if}
Expand Down

0 comments on commit 01a8b77

Please sign in to comment.