Skip to content
Permalink
Browse files Browse the repository at this point in the history
N°4361 - XSS in csvimport on develop
  • Loading branch information
accognet committed Oct 19, 2021
1 parent 88fda14 commit c8f3d23
Showing 1 changed file with 4 additions and 6 deletions.
10 changes: 4 additions & 6 deletions pages/csvimport.php
Expand Up @@ -233,8 +233,7 @@ function ProcessCSVData(WebPage $oPage, $bSimulate = true)
{
$sClassName = utils::ReadParam('class_name', '', false, 'class');
// Class access right check for the import
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO) {
throw new CoreException(Dict::S('UI:ActionNotAllowed'));
}

Expand All @@ -245,8 +244,7 @@ function ProcessCSVData(WebPage $oPage, $bSimulate = true)
$sTextQualifier = utils::ReadParam('text_qualifier', '"', false, 'raw_data');
$bHeaderLine = (utils::ReadParam('header_line', '0') == 1);
$iSkippedLines = 0;
if (utils::ReadParam('box_skiplines', '0') == 1)
{
if (utils::ReadParam('box_skiplines', '0') == 1) {
$iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
}
$aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data');
Expand Down Expand Up @@ -1150,7 +1148,7 @@ function SelectOptions(WebPage $oPage)
$sCSVData = $oDocument->GetData();
}
break;

default:
$sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data');
}
Expand Down Expand Up @@ -1515,7 +1513,7 @@ function Welcome(iTopWebPage $oPage)
$oTabPaste->AddSubBlock($oFormPaste);


$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data');
$sCSVData = utils::ReadParam('csvdata', '', false, utils::ENUM_SANITIZATION_FILTER_STRING);
$oTextarea = new TextArea('csvdata', $sCSVData, '', 120, 30);
$oFieldPaste = FieldUIBlockFactory::MakeFromObject(Dict::S('UI:CSVImport:PasteData'), $oTextarea);
$oFormPaste->AddSubBlock($oFieldPaste);
Expand Down

0 comments on commit c8f3d23

Please sign in to comment.