FSN#39950 PENTEST Reflected XSS in cal_id parameter

svn path=/Website/branches/v2016.3/; revision=33215
2017-03-22 14:31:33 +00:00
parent b15773882d
commit 13e3e13ea6
1 changed files with 9 additions and 6 deletions
--- a/APPL/Shared/loadCalendar.asp
+++ b/APPL/Shared/loadCalendar.asp
@@ -21,12 +21,15 @@ DOCTYPE_Disable = true;
 <%
 // Maak een kalender
-var cal_id = getFParam("cal_id");
+
-var label = getFParam("label", "");
+// De functie FCLTcalendar verwacht dat alle parameters htmlsafe zijn
 // Bij wijze van uitzondering forceren we dat hier
 var cal_id = safe.htmlattr(getFParam("cal_id"));
 var label = safe.htmlattr(getFParam("label", ""));
 var datum = getFParamDate("datum", new Date);
-var onChange = getFParam("onChange", "");
+var onChange = safe.htmlattr(getFParam("onChange", ""));
-var onChangeDate = getFParam("onChangeDate", "");
+var onChangeDate = safe.htmlattr(getFParam("onChangeDate", ""));
-var onChangeTime = getFParam("onChangeTime", "");
+var onChangeTime = safe.htmlattr(getFParam("onChangeTime", ""));
 var volgnr = getFParamInt("volgnr", -1);
 var calendars = getFParamInt("calendars", -1);
 var readonly = (getFParamInt("readonly", 0) == 1);
@@ -40,7 +43,7 @@ var maxPast = getFParamInt("maxPast", -1);
 var minFuture = getFParamInt("minFuture", -1);
 var minDate = getFParamDate("minDate", null);
 var maxDate = getFParamDate("maxDate", null);
-var addClass = getFParam("addClass", "");
+var addClass = safe.htmlattr(getFParam("addClass", ""));
 var hidden = (getFParamInt("hidden", 0) == 1);
 params = { datum: datum };