admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FCLT#72831 XSS preventie; her-commit van r 56078 en 56084 maar dan in 2022.3

Browse Source 
svn path=/Website/trunk/; revision=56090
This commit is contained in:
Koen Reefman
2022-06-02 09:48:05 +00:00
parent 24f784c1ff
commit ee8af257f9
20 changed files with 67 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
APPL/BEZ/bez_edit_afspraak.asp
View File

@@ -189,7 +189,7 @@ else
<% FCLTHeader.Generate() %>
<script type="text/javascript">
var titel = "<%=titel%>";
var titel = "<%=safe.jsstring(titel)%>";
$(function()
{

4
APPL/BEZ/bez_edit_bezoekers.inc
View File

@@ -200,7 +200,7 @@ function bez_edit_bezoekers(afspraak_key, afspraak_begin, afspraak_eind, loc_key
<% if (!params.contactonly && (S("bez_sel_contactpersoon") > 0 || S("bez_sel_internpersoon") == 1))
{ %>
<td align="center">
<span onclick="selectPerson(<%=next_vis%>)" title="<%=titel%>"><%=I("fa-user", { fastyle: "fas" })%></span>
<span onclick="selectPerson(<%=next_vis%>)" title="<%=safe.htmlattr(titel)%>"><%=I("fa-user", { fastyle: "fas" })%></span>
</td>
<% } else if (params.contactonly && S("bez_sel_contactpersoon") > 0) { %>
<td>
@@ -418,7 +418,7 @@ function bez_edit_bezoekers(afspraak_key, afspraak_begin, afspraak_eind, loc_key
<% if (!params.contactonly && (S("bez_sel_contactpersoon") > 0 || S("bez_sel_internpersoon") == 1))
{ %>
cell = ih.insertCell(-1);
cell.innerHTML = "<span OnClick='selectPerson(" + next_vis + ")' title='<%=titel%>'>" + I("fa-user", { fastyle: "fas" }) + "</span>";
cell.innerHTML = "<span OnClick='selectPerson(" + next_vis + ")' title='<%=safe.htmlattr(titel)%>'>" + I("fa-user", { fastyle: "fas" }) + "</span>";
cell.align = 'center';
<% } else if (params.contactonly && S("bez_sel_contactpersoon") > 0) { %>
cell = ih.insertCell(-1);

2
APPL/CAD/ShowRoom.asp
View File

@@ -150,7 +150,7 @@ FCLTHeader.Requires({ js: ["jquery.js"] });
MMap.Refresh(true); // Try to zoom extents
}
</script>
<title><%=titel%></title>
<title><%=safe.html(titel)%></title>
</head>
<body class='modal' id='docBody' onLoad='javascript:init();'>

2
APPL/CAD/ShowTerrain.asp
View File

@@ -55,7 +55,7 @@ var titel = L("lcl_graphics") + " " + oRs("alg_locatie_code").Value + "-"
MMap.Refresh(true); // Try to zoom extents
}
</script>
<title><%=titel%></title>
<title><%=safe.html(titel)%></title>
</head>
<body id='docBody' onLoad='javascript:init();'>

4
APPL/FAC/fac_edit_xsl.asp
View File

@@ -144,7 +144,7 @@ if (xmlnode) // safety check
var f = fso.GetFile(xslsheet);
teaser = teaser.format(toDateTimeString(new Date(f.DateLastModified)));
%> <tr>
<td colspan="2"><%=teaser%></td>
<td colspan="2"><%=safe.html(teaser)%></td>
</tr>
<tr>
<td colspan="2">
@@ -169,7 +169,7 @@ if (xmlnode) // safety check
<form name="xslview" action="fac_preview_xsl.asp" target='RapPreview' id="xslview">
<tr>
<td class="label">
<input type='hidden' name='xmlnode' value='<%=xmlnode%>'>
<input type='hidden' name='xmlnode' value='<%=safe.htmlattr(xmlnode)%>'>
<label class="label" for="key"><%=L("lcl_xsledit_key")%></label>
</td>
<td>

6
APPL/FAC/fac_locale_data.asp
View File

@@ -126,7 +126,7 @@ oRs.Close();
</head>
<body class="modal" id="localebody">
<% MODAL_START(); %>
<form id="lclform" name="lclform" action="fac_locale_data.asp?submit=1&kolomnaam=<%=kolomnaam%>&kolomkeyval=<%=kolomkeyval%>" method="post">
<form id="lclform" name="lclform" action="fac_locale_data.asp?submit=1&kolomnaam=<%=safe.url(kolomnaam)%>&kolomkeyval=<%=kolomkeyval%>" method="post">
<%
MODAL_BLOCK_START("mldReject", lbl);
@@ -177,9 +177,9 @@ function langlabel(code)
else
{ %>
<tr>
<td class="label"><label for="<%=fldname%>"><nobr><%=langlabel(oRs("fac_locale_lang").Value)%></nobr></label></td>
<td class="label"><label for="<%=safe.htmlattr(fldname)%>"><nobr><%=langlabel(oRs("fac_locale_lang").Value)%></nobr></label></td>
<td>
<textarea class="fldtxt" name="<%=fldname%>" rows="3"><%=safe.textarea(oRs("fac_locale_tekst").Value)%></textarea>
<textarea class="fldtxt" name="<%=safe.htmlattr(fldname)%>" rows="3"><%=safe.textarea(oRs("fac_locale_tekst").Value)%></textarea>
</td>
</tr>
<% }

2
APPL/FAC/fac_locale_dialect.asp
View File

@@ -130,7 +130,7 @@ var term_omschrijving = oRs("descr").Value;
{title: L("lcl_cancel"), icon: "fa-fclt-cancel", action: "FcltMgr.closeDetail(window, { cancel: true } )" }];
IFRAMER_HEADER(L("lcl_lcl_terminologie") + " " + term_label + " " + term_omschrijving, buttons);
%>
<form id="lclform" name="lclform" action="fac_locale_dialect.asp?submit=1&dialect_key=<%=dialect_key%>&dialect_id=<%=dialect_id%>&lang=<%=lang%>" method="post">
<form id="lclform" name="lclform" action="fac_locale_dialect.asp?submit=1&dialect_key=<%=dialect_key%>&dialect_id=<%=safe.url(dialect_id)%>&lang=<%=lang%>" method="post">
<%
BLOCK_START("lcldialect", lang, { icon: "fa-language", wide: true, tablestyle: true });

2
APPL/FAC/fac_menu.inc
View File

@@ -104,7 +104,7 @@ function CreateItems(menuItems, pmode, start_collapsed, max_lines)
showtxt += " <span class='guicnt'>({0})</span>".format(guiarr[itm.href]);
}
var unpin = (itm.orggroep == MENU.FAV && pmode != 3 // niet op portal
? "<span class='menupinned' title='" + L("lcl_current_fav_unsave") + "'"
? "<span class='menupinned' title='" + safe.htmlattr(L("lcl_current_fav_unsave")) + "'"
+ " onclick='FcltMgr.stopPropagation(event);FcltMgr.saveFavMenu(this);'"
+ " data-menu-key='" + (itm.menu_key || -1) + "'"
+ " fav_ttl='" + safe.htmlattr(itm.name) + "'>"

2
APPL/FAC/fac_refresh_accept.asp
View File

@@ -100,7 +100,7 @@ var dumpfile_timestamp = fso.getFile(dumpfile).DateLastModified;
%>
<form id="refreshform" name="refreshform" action="fac_refresh_accept_save.asp">
<% MODAL_BLOCK_START("dbrefresh", L("lcl_fac_refresh_accept"), {icon: "fa-siren-on"}); %>
<input type="hidden" id="batfile" name="batfile" value="<%=refresh_bat%>">
<input type="hidden" id="batfile" name="batfile" value="<%=safe.htmlattr(refresh_bat)%>">
<% ROFIELDTR("fld", L("lcl_fac_refresh_dumpfile"), dumpfile);
RWFIELDTR("emailadr", "fld mailto", L("lcl_fac_refresh_notify"), getUserEmail(), {readonly: (isscheduled?true:false)});
ROFIELDTR("fldfacrefresh", "", isscheduled?L("lcl_fac_refresh_oldschedule").format(customerId, toDateTimeString(scheduled_timestamp)):"", {id: "accept_msg"});

6
APPL/FAC/fac_setenv.asp
View File

@@ -24,7 +24,7 @@ var authparams = user.checkAutorisation(autfunction);
<% FCLTHeader.Generate() %>
</head>
<body>
<% newenv = getQParam('env','X');
<% newenv = getQParamSafe('env', 'X');
if (newenv != 'O' && newenv != 'T' && newenv != 'A' && newenv != 'P')
newenv = 'X';
@@ -35,13 +35,13 @@ var authparams = user.checkAutorisation(autfunction);
{
oRs = Oracle.Execute("UPDATE fac_version SET fac_version_otap = " + safe.quoted_sql(newenv));
%> <script type="text/javascript">
FcltMgr.alert("Facilitor environment set to <%=newenv%> (was <%=oldenv%>)");
FcltMgr.alert("Facilitor environment set to <%=newenv%> (was <%=safe.jsstring(oldenv)%>)");
</script>
<% }
else
{ %>
<script type="text/javascript">
FcltMgr.alert("Facilitor environment is <%=oldenv%>");
FcltMgr.alert("Facilitor environment is <%=safe.jsstring(oldenv)%>");
</script>
<% } %>
</body>

49
APPL/FAC/fac_widgetspage.asp
View File

@@ -40,25 +40,26 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
// more=1 adds an extra container with handles to limit or expand the view
// var more = p_url.indexOf("more=1") > -1;
var more = true;
var safe_divid = p_divid.replace(/[^_a-zA-Z0-9\-]/g, ""); // Anders moeten we wel heel vaak safe.functies aanroepen
if (more)
{
%>
<div class="widgetcontainer" style="width:<%=p_width%>%">
<div class="widgetx" id="<%=p_divid%>" style="width:100%;<%=(p_height ? 'height:' + p_height + 'px;' : '')%>">
<div class="widgetx" id="<%=safe_divid%>" style="width:100%;<%=(p_height ? 'height:' + p_height + 'px;' : '')%>">
<%
}
else
{
%>
<div class="widgetx" id="<%=p_divid%>" style="width:<%=p_width%>%;height:<%=p_height%>px;float:left">
<div class="widgetx" id="<%=safe_divid%>" style="width:<%=p_width%>%;height:<%=p_height%>px;float:left">
<%
}
%>
<div class="widgettitlex"><%=p_title%></div>
<iframe src="<%=p_url%>&title_locked=1" id="<%=p_divid%>frame" name="<%=p_divid%>frame" refresher="<%=p_refreshtime%>"
<iframe src="<%=safe.htmlattr(p_url)%>&title_locked=1" id="<%=safe_divid%>frame" name="<%=safe_divid%>frame" refresher="<%=p_refreshtime%>"
height="<%=(p_height - (p_title ? 20 : 0))%>px" width="100%" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"
onload="<%=(!p_height?'FcltMgr.iframeLoaded(this);':'') + 'iframeIsLoaded(\'iframe#' + p_divid + 'frame\');' %>"
onchange="<%=(more?p_divid+'ChangeEvent();':'')%>"
onload="<%=(!p_height?'FcltMgr.iframeLoaded(this);':'') + 'iframeIsLoaded(\'iframe#' + safe_divid + 'frame\');' %>"
onchange="<%=(more?safe_divid+'ChangeEvent();':'')%>"
>
</iframe>
</div>
@@ -66,7 +67,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
if (more)
{
%>
<div id="<%=p_divid%>carddesc" class="fcltcard carddesc disable-sort-item" style="display:block;width:100%;">
<div id="<%=safe_divid%>carddesc" class="fcltcard carddesc disable-sort-item" style="display:block;width:100%;">
<table class="fcltcardtab" width="100%">
<tbody>
<tr>
@@ -77,7 +78,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
</tbody>
</table>
</div>
<div id="<%=p_divid%>cardasc" class="fcltcard cardasc disable-sort-item" style="display:none;width:100%;">
<div id="<%=safe_divid%>cardasc" class="fcltcard cardasc disable-sort-item" style="display:none;width:100%;">
<table class="fcltcardtab" width="100%">
<tbody>
<tr>
@@ -91,36 +92,36 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
<script>
function clickDesc(event) {
// set container height to auto, hide carat down and show carat up
$("#<%=p_divid%>").css("height", "auto");
$("#<%=p_divid%>carddesc").css("display", "none");
$("#<%=p_divid%>cardasc").css("display", "block");
$("#<%=safe_divid%>").css("height", "auto");
$("#<%=safe_divid%>carddesc").css("display", "none");
$("#<%=safe_divid%>cardasc").css("display", "block");
}
function clickAsc(event) {
// set container height to initial height, hide carat down and show carat up
$("#<%=p_divid%>").css("height", "<%=p_height%>px");
$("#<%=p_divid%>cardasc").css("display", "none");
$("#<%=p_divid%>carddesc").css("display", "block");
$("#<%=safe_divid%>").css("height", "<%=p_height%>px");
$("#<%=safe_divid%>cardasc").css("display", "none");
$("#<%=safe_divid%>carddesc").css("display", "block");
}
function <%=p_divid%>ChangeEvent(event) {
function <%=safe_divid%>ChangeEvent(event) {
// set div to initial height
$("#<%=p_divid%>").css("height", "<%=p_height%>px");
$("#<%=safe_divid%>").css("height", "<%=p_height%>px");
// set explicit height of frame according to content
$("#<%=p_divid%>frame").css("height", $("body", $("#<%=p_divid%>frame").contents()).height());
$("#<%=safe_divid%>frame").css("height", $("body", $("#<%=safe_divid%>frame").contents()).height());
// hide carats when the content fits within the div's initial height
if ($("#<%=p_divid%>").height() > $("#<%=p_divid%>frame").height())
if ($("#<%=safe_divid%>").height() > $("#<%=safe_divid%>frame").height())
{
$("#<%=p_divid%>carddesc, #<%=p_divid%>cardasc").css("display", "none");
$("#<%=safe_divid%>carddesc, #<%=safe_divid%>cardasc").css("display", "none");
}
else
{
$("#<%=p_divid%>carddesc").css("display", "block");
$("#<%=p_divid%>cardasc").css("display", "none");
$("#<%=safe_divid%>carddesc").css("display", "block");
$("#<%=safe_divid%>cardasc").css("display", "none");
}
}
$("#<%=p_divid%>carddesc td").on("click", clickDesc);
$("#<%=p_divid%>cardasc td").on("click", clickAsc);
$("#<%=safe_divid%>carddesc td").on("click", clickDesc);
$("#<%=safe_divid%>cardasc td").on("click", clickAsc);
// carats default hidden
$("#<%=p_divid%>carddesc, #<%=p_divid%>cardasc").css("display", "none");
$("#<%=safe_divid%>carddesc, #<%=safe_divid%>cardasc").css("display", "none");
</script>
</div>
<%
@@ -128,7 +129,7 @@ function createWidget(p_divid, p_title, p_height, p_width, p_url, p_refreshtime)
%>
<%if (p_refreshtime != -1 && p_refreshtime >= 60){
%><script type='text/javascript'>
setReloadTimer("<%=p_divid%>frame", "<%=safe.jsstring(p_url)%>", <%=p_refreshtime%>);
setReloadTimer("<%=safe_divid%>frame", "<%=safe.jsstring(p_url)%>", <%=p_refreshtime%>);
</script><%
}
}

8
APPL/FAC/menu_sort.asp
View File

@@ -80,14 +80,14 @@ FCLTHeader.Requires({plugins:["jQuery"], js: ["jquery-ui.js"]})
while (!oRs.eof)
{
var tekst = oRs("groep").Value + "-" + "<span style='display: inline-block;width:100px'>" + oRs("fac_menu_volgnr").Value + "</span>";
var label = fac.localstring(oRs("label").value);
var safe_label = safe.html(fac.localstring(oRs("label").value));
if (oRs("url").Value == null)
{
label = "<span class='menukop'>" + label + "</span>";
safe_label = "<span class='menukop'>" + safe_label + "</span>";
}
tekst += label;
tekst += safe_label;
%><li volgnr="<%=oRs("fac_menu_volgnr").Value%>" menukey=<%=oRs("fac_menu_key").Value%>><%=tekst%></li><%
%><li volgnr="<%=oRs("fac_menu_volgnr").Value%>" menukey="<%=oRs("fac_menu_key").Value%>"><%=tekst%></li><%
oRs.MoveNext();
}
%>

4
APPL/FAC/prodsearch.asp
View File

@@ -340,7 +340,7 @@ function suggest_box_histogram (titel, histograms, kolom, params)
%>
<table class="filter" width="100%">
<tr><th colspan="2"><%=titel%></th></tr>
<tr><th colspan="2"><%=safe.html(titel)%></th></tr>
<%
var i;
for (i = 0; i < myhist.length && i<=20; i ++)
@@ -369,7 +369,7 @@ function suggest_box_resruimte (titel, histograms, kolom, params)
{
%>
<table class="filter" width="100%">
<tr><th><%=titel%></th></tr>
<tr><th><%=safe.html(titel)%></th></tr>
<tr><td>
<%
FCLTcalendar("date_from",

2
APPL/KPI/kpi_detail.asp
View File

@@ -92,7 +92,7 @@ while (!oRs_h.eof)
<td colspan="2" class="kpisec_heading"><%=safe.html(h_head_naam)%></td>
</tr>
<tr>
<td class="kpiavg" style="background-color: <%=h_head_kleur%>"><%=h_head_score%></td>
<td class="kpiavg" style="background-color: <%=safe.htmlattr(h_head_kleur)%>"><%=h_head_score%></td>
<td>
<table>
<%

2
APPL/MLD/mld_show_opdr.asp
View File

@@ -213,7 +213,7 @@ reqStatusEmptyOpdr = mld.getActieKenmerkenOpdr(reqStatusEmptyOpdr, opdr_key, {ha
// Text strings used by mld_show_opdr.js
var urole = "<%=urole%>";
var opdr_key = "<%=opdr_key%>";
var prefix = "<%=prefix%>";
var prefix = "<%=safe.jsstring(prefix)%>";
var mld_key = "<%=mld_opdr.mld_key%>";
var volgnr = "<%=mld_opdr.volgnr%>";
var defemail_key = "<%=defemail_key%>";

2
APPL/MLD/opdr_edit_uren.asp
View File

@@ -696,7 +696,7 @@ if (urole != "fe" && canWrite)
cls += " mldimpropdruren";
}
%><tr id="<%=idcode%>" class="<%=cls%>">
<td title="<%=ttl1%>"><%= txt %></td>
<td title="<%=safe.htmlattr(ttl1)%>"><%= txt %></td>
<td class="colhandler"><%= safe.html(oRs("naam").Value) %></td>
<td title="<%=safe.htmlattr(ttl)%>"><%= safe.html(oms) %></td>
<%

2
APPL/MSG/msg_edit_message.asp
View File

@@ -210,7 +210,7 @@ var buttons = [{ icon: "fa-fclt-save", title: L("lcl_mes_send"), action: 'checkI
%>
<tr>
<td class="label"><label><%=L("lcl_mes_link")%></label></td>
<td colspan="3"><a class="fldmsgurl" href="<%=safe.htmlattr(ilink)%>" target="_blank" rel="noopener noreferrer"><%=ilink%></a></td>
<td colspan="3"><a class="fldmsgurl" href="<%=safe.htmlattr(ilink)%>" target="_blank" rel="noopener noreferrer"><%=safe.html(ilink)%></a></td>
</tr>
<% }

4
APPL/PDA/catering_looplijst.asp
View File

@@ -219,7 +219,7 @@ function looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat)
method="post">
<%
var gebouw_key = user.alg_gebouw_key({withcurrent:true});
var sql = looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat); // objecten of verbruiksartikele
var sql = looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat); // objecten of verbruiksartikelen
CATLIST_START("cat_list", false)
var oRs = Oracle.Execute(sql);
@@ -246,7 +246,7 @@ function looplijst_sql(gebouw_key, datum, met_mld, met_obj, met_cat)
var catobj = (met_obj ? L("lcl_res_daglijst_middelen") : L("lcl_res_daglijst_artikelen"));
%>
<li class="ui-field-contain">
<a href='#' onclick="start_cat('<%=lastLink%>')">
<a href='#' onclick="start_cat('<%=safe.jsstring(lastLink)%>')">
<div>
<p class="ui-li-count ui-li-aside"><%=L("lcl_res_daglijst_geleverd")%>:&nbsp;<%=(oRs("geleverd").Value==1?L("lcl_Yes"):L("lcl_No"))%></p>
<div>

4
APPL/PDA/iface.inc
View File

@@ -620,11 +620,11 @@ function CATLIST_ARTIKEL(p_cat_id, params)
var vlabel = "<label class='ed' for='inpb_g_"+p_cat_id + "'> " + L("lcl_res_daglijst_geleverd") + "</label>";
%>
<li class="ui-field-contain">
<img alt="<%=safe.htmlattr(L("lcl_res_article"))%>" src="<%=params.image%>"/>
<img alt="<%=safe.htmlattr(L("lcl_res_article"))%>" src="<%=safe.htmlattr(params.image)%>"/>
<h3 class="c1"><%=safe.html(params.omschrijving)%></h3>
<div style="display: inline-block">
<div class="subheader">
<div class="listbodytext"><%=L("lcl_count")%>:&nbsp<%=params.aantal%></div>
<div class="listbodytext"><%=L("lcl_count")%>:&nbsp;<%=params.aantal%></div>
</div>
<label class='ed' for="inpb_g_<%=p_cat_id%>"><%=L("lcl_res_daglijst_geleverd")%></label>
<input type="checkbox" id="inpb_g_<%=p_cat_id%>" name="inpb_g_<%=p_cat_id%>"

2
APPL/PDA/mld_list.asp
View File

@@ -502,7 +502,7 @@ var canAdd = addparams && addparams.ALGwritelevel;
+ (srtdisc_key > -1? "&srtdisc=" + srtdisc_key : "")
+ "&fase=" + fase
+ "&actiecodeFE=" + actiecodeFE
+ (actiecodeATT == "on" ? "&actiecodeATT=" + actiecodeATT : "")
+ (actiecodeATT == "on" ? "&actiecodeATT=on" : "")
+ "&searchtekst=" + safe.urlUTF8(searchtekst)
for (flagkey=0; flagkey < S("mld_melding_flags"); flagkey++)