EZP-22539: XSS in admin interface

ezsystems · Jun 30, 2014 · 093f66f · 093f66f
1 parent 3e3e098
commit 093f66f
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/design/standard/templates/ezoe/upload_files.tpl b/design/standard/templates/ezoe/upload_files.tpl
@@ -84,7 +84,7 @@ tinyMCEPopup.onInit.add( function(){
                         </tr>
                         {foreach $grouped_related_contentobjects.files as $file sequence array( bglight, bgdark ) as $sequence}
                             <tr class="{$sequence}">
-                                <td class="name">{$file.object.class_name|class_icon( small, $file.object.class_name )}&nbsp;<a href="JavaScript:eZOEPopupUtils.selectByEmbedId( {$file.object.id} )">{$file.object.name|wash|shorten( 35 )}</a></td>
+                                <td class="name">{$file.object.class_name|class_icon( small, $file.object.class_name )}&nbsp;<a href="JavaScript:eZOEPopupUtils.selectByEmbedId( {$file.object.id|wash('javascript')} )">{$file.object.name|wash|shorten( 35 )}</a></td>
                                 <td class="filetype">{$file.object.data_map.file.content.mime_type|wash}</td>
                                 <td class="filesize">{$file.object.data_map.file.content.filesize|si( byte )}</td>
                             </tr>

diff --git a/design/standard/templates/ezoe/upload_images.tpl b/design/standard/templates/ezoe/upload_images.tpl
@@ -96,7 +96,7 @@ eZOEPopupUtils.settings.browseClassGenerator = function( n, hasImage ){
                     {foreach $grouped_related_contentobjects.images as $img}
 
                     <div class="image-thumbnail-item">
-                        <a title="{$img.object.name|wash}" href="JavaScript:eZOEPopupUtils.selectByEmbedId( {$img.object.id} )" class="contenttype_image">
+                        <a title="{$img.object.name|wash}" href="JavaScript:eZOEPopupUtils.selectByEmbedId( {$img.object.id|wash('javascript')} )" class="contenttype_image">
                         {attribute_view_gui attribute=$img.object.data_map[ $img.image_attribute ] image_class=small}
                         </a>
                     </div>

diff --git a/modules/ezoe/relations.php b/modules/ezoe/relations.php
@@ -97,7 +97,7 @@
 
 if ( !$embedObject instanceof eZContentObject || !$embedObject->canRead()  )
 {
-   echo ezpI18n::tr( 'design/standard/ezoe', 'Invalid parameter: %parameter = %value', null, array( '%parameter' => 'EmbedID', '%value' => $Params['EmbedID'] ) );
+   echo ezpI18n::tr( 'design/standard/ezoe', 'Invalid parameter: %parameter = %value', null, array( '%parameter' => 'EmbedID', '%value' => (int)$Params['EmbedID'] ) );
    eZExecution::cleanExit();
 }
 

diff --git a/modules/ezoe/upload.php b/modules/ezoe/upload.php
@@ -117,7 +117,7 @@
     if ( $uploadedOk )
     {
         $newObject = $result['contentobject'];
-        $newObjectID = $newObject->attribute( 'id' );
+        $newObjectID = (int)$newObject->attribute( 'id' );
         $newObjectName = $newObject->attribute( 'name' );
         $newObjectNodeID = (int) $newObject->attribute( 'main_node_id' ); // this will be empty if object is stopped by approve workflow
 
@@ -173,7 +173,7 @@
 
         $object->addContentObjectRelation( $newObjectID, $objectVersion, 0, eZContentObject::RELATION_EMBED );
         echo '<html><head><title>HiddenUploadFrame</title><script type="text/javascript">';
-        echo 'window.parent.eZOEPopupUtils.selectByEmbedId( ' . $newObjectID . ', ' . $newObjectNodeID . ', "' . $newObjectName . '" );';
+        echo 'window.parent.eZOEPopupUtils.selectByEmbedId( ' . $newObjectID . ', ' . $newObjectNodeID . ', "' . json_encode( $newObjectName ) . '" );';
         echo '</script></head><body></body></html>';
     }
     else