XSS op thisuser.photopath voorkomen
svn path=/Website/trunk/; revision=38290
This commit is contained in:
Jos Groot Lipman
@@ -206,7 +206,7 @@ prs.checkAutorisation(prs_key);
|
||||
{
|
||||
%><span class='fa fa-pencil fa-lg button' title='<%=L("lcl_change")%>' onclick='edit_photo(this)'></span><%
|
||||
}
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + thisUser.photoinfo().photopaththumb + "'></td></tr>");
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + safe.htmlattr(thisUser.photoinfo().photopaththumb) + "'></td></tr>");
|
||||
ROFIELDTR('fld', L("lcl_prs_person_name"), thisUser.naam());
|
||||
|
||||
// Is persoon een contactpersoon, en zo ja van welk bedrijf.
|
||||
|
||||
@@ -96,7 +96,7 @@ IFRAMER_HEADER("Facilitor Vinder", buttons);
|
||||
{
|
||||
%><span class='fa fa-pencil fa-lg button' title='<%=L("lcl_change")%>' onclick='edit_photo(this)'></span><%
|
||||
}
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + thisUser.photopath + "'></td></tr>");
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + safe.htmlattr(thisUser.photopath) + "'></td></tr>");
|
||||
|
||||
AFIELDTR('fldmailto details', L("lcl_prs_person_email"), "mailto:" + thisUser.prs_perslid_email, thisUser.prs_perslid_email, {suppressEmpty: true});
|
||||
ROFIELDTR('fld', L("lcl_prs_person_dept_name"), thisUser.prs_afdeling_naam);
|
||||
|
||||
@@ -252,9 +252,9 @@ function fncolAction(oRs)
|
||||
break;
|
||||
}
|
||||
if (icon.match(/^fa-/))
|
||||
return "<i class='fa fa-fw prodicon {0}' title='{1}'></i>".format(icon, safe.htmlattr(hint));
|
||||
return "<i class='fa fa-fw prodicon {0}' title='{1}'></i>".format(safe.htmlattr(icon), safe.htmlattr(hint));
|
||||
else
|
||||
return "<img class='details prodimg' src='" + icon + "' title='"+ safe.htmlattr(hint) + "'>";
|
||||
return "<img class='details prodimg' src='" + safe.htmlattr(icon) + "' title='"+ safe.htmlattr(hint) + "'>";
|
||||
}
|
||||
|
||||
function fncolProduct(oRs)
|
||||
|
||||
@@ -679,7 +679,7 @@ function opdr_plan(params)
|
||||
{ // Toegewezen.
|
||||
var thisUser = new Perslid(prs_key); // geeft ook handige informatie
|
||||
%> <tr>
|
||||
<td rowspan="2" class='profile'><img id='photo' class='profile' src='<%=thisUser.photoinfo().photopaththumb %>'></td>
|
||||
<td rowspan="2" class='profile'><img id='photo' class='profile' src='<%=safe.htmlattr(thisUser.photoinfo().photopaththumb) %>'></td>
|
||||
<td><span class="readonly cardname"><%=safe.html(uitv_naam)%><br><%=safe.html(behandelaar)%></span></td>
|
||||
</tr>
|
||||
<tr>
|
||||
@@ -693,7 +693,7 @@ function opdr_plan(params)
|
||||
break;
|
||||
case "PI": var thisUser = new Perslid(uitv_key); // geeft ook handige informatie
|
||||
%> <tr>
|
||||
<td rowspan="2" class='profile'><img id='photo' class='profile' src='<%=thisUser.photoinfo().photopaththumb %>'></td>
|
||||
<td rowspan="2" class='profile'><img id='photo' class='profile' src='<%=safe.htmlattr(thisUser.photoinfo().photopaththumb) %>'></td>
|
||||
<td><span class="readonly cardname"><%=safe.html(thisUser.naam())%></span></td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
||||
@@ -119,7 +119,7 @@ function FOOTER(params)
|
||||
if (params.thisuser)
|
||||
{
|
||||
%> <a href="<%=rooturl%>/appl/pda/user_info.asp" data-ajax="false">
|
||||
<img id="photo" src="<%=params.thisuser.photopath%>" class="footerphoto">
|
||||
<img id="photo" src="<%=safe.htmlattr(params.thisuser.photopath)%>" class="footerphoto">
|
||||
</a>
|
||||
<% }
|
||||
%> </div> <%
|
||||
|
||||
@@ -207,7 +207,7 @@ if (prs_key > 0) // Fotoblokje alleen bij bestaande records
|
||||
{
|
||||
%><span class='fa fa-edit fa-lg button' title='<%=L("lcl_change")%>' onclick='edit_photo(this)'></span><%
|
||||
}
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + thisUser.photoinfo().photopaththumb + "'></td></tr>");
|
||||
Response.write("</td><td class='profile'><img id='photo' class='profile' src='" + safe.htmlattr(thisUser.photoinfo().photopaththumb) + "'></td></tr>");
|
||||
}
|
||||
manRWFIELD("prs_naam", "fld", L("lcl_prs_person_name"), prs_naam, {required: true, maxlength: 60});
|
||||
var sql = "SELECT 0, "+safe.quoted_sql(L("lcl_prs_person_geslachtV"))+" FROM DUAL UNION ALL"
|
||||
|
||||
@@ -25,7 +25,6 @@ var prsauthparams = prs.checkAutorisation(prs_key);
|
||||
user.auth_required_or_abort(prsauthparams.writeman || prsauthparams.writeuse || prsauthparams.writeself);
|
||||
|
||||
var thisUser = new Perslid(prs_key); // geeft ook alle informatie
|
||||
thisUser.photoinfo().photopath;
|
||||
|
||||
sql = "SELECT prs_perslid_key"
|
||||
+ " , prs_perslidwerkplek_bezetting"
|
||||
|
||||
@@ -419,7 +419,7 @@ var met_foto = getQParam("pb_photo","off")=="on";
|
||||
if (outputmode == 3) // XML
|
||||
return thisPrsFoto.photopaththumb;
|
||||
|
||||
var html = "<img id='photo' src='"+thisPrsFoto.photopaththumb +"'>";
|
||||
var html = "<img id='photo' src='"+safe.htmlattr(thisPrsFoto.photopaththumb) +"'>";
|
||||
return html;
|
||||
}
|
||||
|
||||
|
||||
@@ -250,7 +250,7 @@ var prs_user = new Perslid(prs_key);
|
||||
<div id="show">
|
||||
<form name=u2>
|
||||
<% BLOCK_START("prsPerslid", L("lcl_prs_basisblok"));
|
||||
Response.write("<tr><td></td><td class='profile'><img id='photo' class='profile' src='" + thisPrs.photopaththumb + "'></td></tr>");
|
||||
Response.write("<tr><td></td><td class='profile'><img id='photo' class='profile' src='" + safe.htmlattr(thisPrs.photopaththumb) + "'></td></tr>");
|
||||
|
||||
var params = { infoPointer: { Url: "appl/shared/status_info.asp?urole=fo&prs_key=" + prs_key,
|
||||
Title: L("lcl_status_details") + " " + thisPrs.naam }};
|
||||
|
||||
Reference in New Issue
Block a user