admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FCLT#54935 Enkele XSS voorkomen

Browse Source 
svn path=/Website/trunk/; revision=39384
This commit is contained in:
Koen Reefman
2018-10-12 14:17:49 +00:00
parent b0532d510c
commit 49d12c05e4
9 changed files with 19 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
APPL/FAC/fac_usrrap_list.asp
View File

@@ -114,7 +114,7 @@ if (!nohtml) {
<% } %>
</head>
<body id="listbody" <%=bodyclass != "" ? "class='"+bodyclass+"'": ""%> <%= (outputmode == 1 && rapport_xmlxsl_mode (func_mode)? "onload='window.print()'" : "")%>>
<body id="listbody" <%=bodyclass != "" ? "class='"+safe.htmlattr(bodyclass)+"'": ""%> <%= (outputmode == 1 && rapport_xmlxsl_mode (func_mode)? "onload='window.print()'" : "")%>>
<%
}

2
APPL/FAC/header.inc
View File

@@ -94,7 +94,7 @@ function generateHeader()
{
var other_key = parseInt(Session("org_user_key"), 10);
var other = new Perslid(other_key);
Response.Write("<div id='userimperson'>" + L("lcl_impersonate_active").format(other.naam() + "</div>"));
Response.Write("<div id='userimperson'>" + L("lcl_impersonate_active").format(safe.html(other.naam()) + "</div>"));
}
else if (L("lcl_facilitor_header_prefix") || otap)
Response.Write("<div id='headerprefix'>" + otap+" "+L("lcl_facilitor_header_prefix") + "</div>");

4
APPL/FIN/load_kenmerk.asp
View File

@@ -27,12 +27,12 @@ var DOCTYPE_Disable = true;
<%
generateFlexKenmerkCode ({ fin_key: getQParamInt("fin_key", -1), // Factuurnummer
regel_key: getQParamInt("regel_key", -1), // Factuurregelnummer
kenmerk_niveau: getQParam("kenmerk_niveau", 'F'), // Kenmerk niveau (F=factuur, R=regel).
kenmerk_niveau: getQParamSafe("kenmerk_niveau", 'F'), // Kenmerk niveau (F=factuur, R=regel).
reado: getQParamInt("reado", 0) == 1, // Readonly
flexcolumns: getQParamInt("advanced", 0) == 1? 1 : S("fin_flexcolumns"),
advanced: getQParamInt("advanced", 0) == 1, // Geavanceerd
reqId: getQParamInt("reqId", -1), // Perslid key (!search && multiMode)
nameprefix: getQParam("nameprefix", "") != ""? getQParam("nameprefix", "") : null
nameprefix: getQParamSafe("nameprefix", "") != ""? getQParamSafe("nameprefix", "") : null
});
%>
</table>

4
APPL/MJB/mjb_search_list.asp
View File

@@ -148,14 +148,14 @@ var transitParam = buildTransitParam(["deel", "groep", "categorie_key", "distric
var disc_key = <%=disc_key%>;
var srtgroep_key = <%=srtgroep_key%>;
var srtdeel_key = <%=srtdeel_key%>;
var groep = "<%=groep%>";
var groep = "<%=safe.jsstring(groep)%>";
var categorie_key = <%=categorie_key%>;
var srtcontrole = "<%=srtcontrole.join(",")%>";
var frequentie = "<%=frequentie.join(",")%>";
var account = <%=kp_key%>;
var incbtw = <%=incbtw? 1 : 0%>;
var groupby = <%=groupby%>;
var deel = "<%=deel%>";
var deel = "<%=safe.jsstring(deel)%>";
var actsit = <%=actsit? 1 : 0%>;
var mjbMoved = <%=mjbMoved? 1 : 0%>;
var mjbFreezed = <%=mjbFreezed? 1 : 0%>;

2
APPL/RES/res_search.asp
View File

@@ -215,7 +215,7 @@ var authparams = user.checkAutorisation(autfunction);
<input type="hidden" name="urole" value="<%=urole%>">
<input type="hidden" name="srtact" value="<%=srtact%>">
<input type="hidden" name="park" value="<%=show_park%>">
<input type="hidden" name="fnStep" value="parent.fnStepPlanbord">
<input type="hidden" name="fnStep" value="1"> <!-- 1 = "parent.fnStepPlanbord" -->
<input type="hidden" name="autosearch" id="autosearch" value="0">
<%
if (frontend && planbordonly && autoexec==2)

6
APPL/RES/res_search_plan_obj.asp
View File

@@ -33,7 +33,11 @@ var dateoffset=0; // TODO deeplinking??
var date_from = getFParamDate("date_from", new Date((new Date).getTime() + dateoffset));
var date_to = getFParamDate("date_to", new Date(date_from.getTime()));
var show_park = getFParamInt("park", 0)==1;
var fnStep = getFParam("fnStep", null); // Clientside functie voor Next/Prev
var fnStep;
switch(getFParamInt("fnStep", -1)) {
case 1: fnStep = "parent.fnStepPlanbord"; break;
}
var fronto = (urole == "fo");
var backo = (urole == "bo");

6
APPL/RES/res_search_plan_room.asp
View File

@@ -66,8 +66,10 @@ if (act_key > 0)
oRs.Close();
}
var fnStep = getFParam("fnStep", null); // Clientside functie voor Next/Prev
var fnStep;
switch(getFParamInt("fnStep", -1)) {
case 1: fnStep = "parent.fnStepPlanbord"; break;
}
// Bereken dynamisch breedte blokjes
// PAS OP: identiek houden aan res_plan_room.inc!

2
APPL/SCF/scaffolding_list.inc
View File

@@ -53,7 +53,7 @@ function scaffolding_list(model, scf_params)
var filter = shared.qs2json(model);
if (scf_params.incsetting && scf_params.incsetting.joinfield in filter) // Zijn we eigenlijk een include?
{
transit += "&" + scf_params.incsetting.joinfield + "=" + filter[scf_params.incsetting.joinfield]; // parentkey doorgeven
transit += "&" + scf_params.incsetting.joinfield + "=" + safe.url(filter[scf_params.incsetting.joinfield]); // parentkey doorgeven
}
var default_url = model.list.default_url;

4
APPL/Shared/Shared.inc
View File

@@ -404,7 +404,7 @@ function getQParamInt(pName, defVal, relaxed)
function getQParamSafe(pName, defVal)
{
var txt = _get_Param(Request.Querystring, pName, defVal);
if (txt.match(/[^a-zA-Z0-9]/))
if (txt.match(/[^_a-zA-Z0-9-]/))
eval("INTERNAL_ERROR_PARAMETER_" + pName + "_IS_BAD");
return txt;
}
@@ -413,7 +413,7 @@ function getQParamSafe(pName, defVal)
function getFParamSafe(pName, defVal)
{
var txt = _get_Param(Request.Form, pName, defVal);
if (txt.match(/[^a-zA-Z0-9]/))
if (txt.match(/[^_a-zA-Z0-9-]/))
eval("INTERNAL_ERROR_PARAMETER_" + pName + "_IS_BAD");
return txt;
}