FSN#37512 PENTEST 4.6.3 Cross-site scripting

svn path=/Website/trunk/; revision=30390
2016-08-23 13:43:17 +00:00
parent c3fae75bb5
commit 90a1a8409d
9 changed files with 11 additions and 11 deletions
--- a/APPL/BES/opdr_delivery.asp
+++ b/APPL/BES/opdr_delivery.asp
@@ -171,7 +171,7 @@ user.auth_required_or_abort(this_bestelopdr.canDeliver);
      oRs = Oracle.Execute(sql);
      count = 0;
-      BLOCK_START("besdelivery", L("lcl_bes_delvery_h_pref") + S("bes_bestelopdr_prefix") + ordernr_id + L("lcl_bes_delvery_h_suf"));
+      BLOCK_START("besdelivery", L("lcl_bes_delvery_h_pref") + S("bes_bestelopdr_prefix") + safe.html(ordernr_id) + L("lcl_bes_delvery_h_suf"));
      ROFIELDTR("fld", L("lcl_bes_Supplier"), oRs("prs_bedrijf_naam").value);
      RWTEXTAREATR("notsat",
                   "fldremark",
--- a/APPL/CNT/cnt_split.asp
+++ b/APPL/CNT/cnt_split.asp
@@ -115,7 +115,7 @@ var kosten = oRs("kosten").value;
  <body class="modal" id="mod_cntsplit">
    <form name=u2 action=cnt_split.asp?submit=1&cnt_key=<%=cnt_key%> method="post">
 <%
-      BLOCK_START("cntSplit", L("lcl_cnt_newversion_make") + internr);
+      BLOCK_START("cntSplit", L("lcl_cnt_newversion_make") + safe.html(internr));
      var defaultdatum = new Date;  // vandaag
      FCLTcalendar( "splitdate",
--- a/APPL/FAC/fac_locale_data.asp
+++ b/APPL/FAC/fac_locale_data.asp
@@ -124,7 +124,7 @@ var maxlen = oRs(0).Value;
  <body class="modal" id="localebody">
      <form id="lclform" name="lclform" action="fac_locale_data.asp?submit=1&kolomnaam=<%=kolomnaam%>&kolomkeyval=<%=kolomkeyval%>" method="post">
 <%
-        BLOCK_START("mldReject", lbl);
+        BLOCK_START("mldReject", safe.html(lbl));
        //kolomkeydata
        var talen_arr = [];
--- a/APPL/FAC/fac_locale_dialect.asp
+++ b/APPL/FAC/fac_locale_dialect.asp
@@ -24,7 +24,7 @@ var autfunction = "WEB_PRSSYS";
 var authparams = user.checkAutorisation(autfunction);
 var submitting = getQParamInt("submit", 0) == 1;
-var lang = getQParam("lang", "NL"); // TODO: popup als niet meegegeven
+var lang = getQParamSafe("lang", "NL"); // TODO: popup als niet meegegeven
 var dialect_key = getQParamInt("dialect_key");
 var dialect_id = getQParam("dialect_id");
--- a/APPL/FAC/fac_user_info.asp
+++ b/APPL/FAC/fac_user_info.asp
@@ -177,13 +177,13 @@ oRs.Close();
      $(document).ready(function () {
                    FcltMgr.setTitle("<%=itsme ? L("lcl_prs_person_mijndata") : safe.jsstring(thisUser.naam())%>");
                });
-                
+
      function edit_photo(img)
      {
          var url = "<%=protectQS.create("../../appl/shared/BijlagenForm.asp?module=SML&key="+prs_key)%>";
          FcltMgr.openModalDetail(url, L("lcl_prs_upload_foto"),
                      { callback: FcltMgr.reload } );
-      }                
+      }
    </script>
    <div id="show">
 <%    if (prs_deleted == 1)
@@ -330,7 +330,7 @@ oRs.Close();
          var oRs = Oracle.Execute (sql);
          while (!oRs.eof)
          {
-              BLOCK_START("prsSubst", L("lcl_prs_substitutesblock") + ": " + oRs("fac_groep_omschrijving").Value);
+              BLOCK_START("prsSubst", L("lcl_prs_substitutesblock") + ": " + safe.html(oRs("fac_groep_omschrijving").Value));
              var sql = "SELECT p.prs_perslid_key"
                      + ", " + S("prs_pers_string") + " prs_perslid_naam"
                      + "  FROM fac_gebruikersgroep fgg"
--- a/APPL/INS/ins_deelkoppeling.asp
+++ b/APPL/INS/ins_deelkoppeling.asp
@@ -130,7 +130,7 @@ else
          <input type="hidden" id="nrRows" name="nrRows" value="0">
 <%
          if (ins_van_key_arr.length == 1)
-            BLOCK_START("ins_ruimteafdeling", safe.htmlattr(ins_srtname + " " + ins_name));
+            BLOCK_START("ins_ruimteafdeling", safe.html(ins_srtname + " " + ins_name));
          else
            BLOCK_START("ins_ruimteafdeling", L("lcl_alg_geselecteerde_ruimten") + ": " + ins_van_key_arr.length);
--- a/APPL/MLD/mld_show_melding.asp
+++ b/APPL/MLD/mld_show_melding.asp
@@ -388,7 +388,7 @@ function parentButton()
 %></div><% // div.leftcontainer, de rest staat rechts
-    BLOCK_START("mldInfo", L("lcl_complain") + " "+ (mld_melding.prefix != null? mld_melding.prefix : "") + mld_key + (mld_melding.mld_onderwerp ? ": <span class='mldsubject'>" + mld_melding.mld_onderwerp + "</span>" : ""));
+    BLOCK_START("mldInfo", L("lcl_complain") + " "+ (mld_melding.prefix != null? mld_melding.prefix : "") + mld_key + (mld_melding.mld_onderwerp ? ": <span class='mldsubject'>" + safe.html(mld_melding.mld_onderwerp) + "</span>" : ""));
      if (mld_melding.behandel_key) {
          FCLTpersoonselector("sBehandel",
                              "sgBehandelaar",
--- a/APPL/PDA/order.asp
+++ b/APPL/PDA/order.asp
@@ -284,7 +284,7 @@ else
      <input type="hidden" name="uitvkeystr"  value="<%=uitv_key%>"/>
      <input type="hidden" name="behandelaar" value="<%=mld_opdr.contactpers_key%>"/>
 <%
-      BLOCK_START({collapsed: true, title: mld_opdr.opdr_type_omschr});
+      BLOCK_START({collapsed: true, title: safe.html(mld_opdr.opdr_type_omschr)});
        FCLTuitvoerendeselector("uitvoerende",
                                "sgUitv",
                                { uitvoerendekey: mld_opdr.uitvoerende_key,
--- a/APPL/PDA/reservering.asp
+++ b/APPL/PDA/reservering.asp
@@ -411,7 +411,7 @@ else
        if (rsv_ruimte_key == -1)
        { // Nieuw. Datum en tijd heb je al in vorige schermen gekozen
-          BLOCK_START({collapsed: true, title: rsv.activity});
+          BLOCK_START({collapsed: true, title: safe.html(rsv.activity) });
          ROFIELD("fld", L("lcl_place") , rsv.ruimtenr.replace(/\n/,"<br>"));
          ROFIELD("fld", L("lcl_date"), toDateTimeString(rsv.ruimte_van) + "-" + toTimeString(rsv.ruimte_tot));
 %>