Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed issue: [security] Minor XSS issue in plugin overview - reported…
… by Podalirius (podalirius.net/en/)
- Loading branch information
Showing
1 changed file
with
12 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,8 +2,7 @@ | |
<div class='pagetitle h3'><?php eT('Confirm uploaded plugin'); ?></div> | ||
|
||
<?php // Only show config summary if config could be found. ?> | ||
<?php if (isset($config)): ?> | ||
|
||
<?php if (isset($config)) : ?> | ||
<?php echo CHtml::form( | ||
Yii::app()->getController()->createUrl( | ||
'/admin/pluginmanager', | ||
|
@@ -16,14 +15,14 @@ | |
|
||
<input type="hidden" name="isUpdate" value="<?php echo json_encode($isUpdate); ?>" /> | ||
|
||
<?php if ($isUpdate): ?> | ||
<?php if ($isUpdate) : ?> | ||
<div class='alert alert-info'> | ||
<p> | ||
<i class='fa fa-info'></i> | ||
<?php eT('The following plugin will be updated. Please click "Update" to update the plugin, or "Abort" to abort.'); ?> | ||
</p> | ||
</div> | ||
<?php else: ?> | ||
<?php else : ?> | ||
<div class='alert alert-info'> | ||
<p> | ||
<i class='fa fa-info'></i> | ||
|
@@ -35,33 +34,33 @@ | |
<!-- Name --> | ||
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"><?php eT("Name:"); ?></label> | ||
<div class="col-sm-4"><?php echo $config->getName(); ?></div> | ||
<div class="col-sm-4"><?=htmlentities($config->getName()); ?></div> | ||
</div> | ||
|
||
<!-- Description --> | ||
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"><?php eT("Description:"); ?></label> | ||
<div class="col-sm-8"><?php echo $config->getDescription(); ?></div> | ||
<div class="col-sm-8"><?=htmlentities($config->getDescription()); ?></div> | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
Shnoulle
Collaborator
|
||
</div> | ||
|
||
<!-- Version --> | ||
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"><?php eT("Version:"); ?></label> | ||
<div class="col-sm-4"><?php echo $config->getVersion(); ?></div> | ||
<div class="col-sm-4"><?=htmlentities($config->getVersion()); ?></div> | ||
</div> | ||
|
||
<!-- Author --> | ||
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"><?php eT("Author:"); ?></label> | ||
<div class="col-sm-4"><?php echo $config->getAuthor(); ?></div> | ||
<div class="col-sm-4"><?=htmlentities($config->getAuthor()); ?></div> | ||
</div> | ||
|
||
<!-- Compatible --> | ||
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"><?php eT("Compatible"); ?></label> | ||
<?php if ($config->isCompatible()): ?> | ||
<?php if ($config->isCompatible()) : ?> | ||
<div class="col-sm-4"><span class="fa fa-check text-success"></span></div> | ||
<?php else: ?> | ||
<?php else : ?> | ||
<div class="col-sm-4"><span class="fa fa-times text-warning"></span></div> | ||
<?php endif; ?> | ||
</div> | ||
|
@@ -70,9 +69,9 @@ | |
<div class="form-group col-sm-12"> | ||
<label class="col-sm-4 control-label"></label> | ||
<div class="col-sm-4"> | ||
<?php if ($isUpdate): ?> | ||
<?php if ($isUpdate) : ?> | ||
<input type="submit" class="btn btn-success" value="<?php eT("Update");?>" /> | ||
<?php else: ?> | ||
<?php else : ?> | ||
<input type="submit" class="btn btn-success" value="<?php eT("Install");?>" /> | ||
<?php endif; ?> | ||
<a href="<?php echo $abortUrl; ?>" class="btn btn-warning" data-dismiss="modal"><?php eT("Abort");?></a> | ||
|
@@ -81,8 +80,7 @@ | |
|
||
</form> | ||
|
||
<?php else: ?> | ||
|
||
<?php else : ?> | ||
<div class='alert alert-warning'> | ||
<p> | ||
<i class='fa fa-warning'></i> | ||
|
2 comments
on commit f7b3561
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have the mantis issue here ?
Need discussion …
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<description><![CDATA[New function for expression manager to count some statictics data : <ul> |
<description><![CDATA[Adds SEED and other database variable in ExpressionScript Engine. <a href="https://manual.limesurvey.org/ExpressionFixedDbVar">More information in LimeSurvey manual.</a>]]></description> |
Hu … some plugin have HTML or markdown in descrition.
Since this plugin part are PHP system and can not be updated by simple user. I really think it's a bad idea …