Skip to content
Permalink
Browse files Browse the repository at this point in the history
request #27173: XSS via the title of a document
Change-Id: Ibdae4792b76c297bf8d553ab9b37f5ae3d76cb2a
  • Loading branch information
nterray committed Jun 14, 2022
1 parent 8bef8a0 commit c947975
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
Expand Up @@ -83,7 +83,10 @@ public function getContent()
$itemPerm = $dPm->userCanAccess($user, $docman_id);

if ($itemPerm) {
$html .= '<p><a data-test="document-search-link" href="/plugins/docman/?group_id=' . $res['group_id'] . '&action=details&id=' . $docman_id . '&section=properties">Show &quot;' . $res['title'] . '&quot; Properties</a></p>';
$purifier = Codendi_HTMLPurifier::instance();
$html .= '<p><a data-test="document-search-link" href="/plugins/docman/?group_id=' . urlencode((string) $res['group_id']) . '&action=details&id=' . urlencode((string) $docman_id) . '&section=properties">Show &quot;';
$html .= $purifier->purify($res['title']);
$html .= '&quot; Properties</a></p>';
return $html;
}
}
Expand Down
Expand Up @@ -114,12 +114,16 @@ private function getTable($params)
}
$parent = $dIF->getItemFromDb($item->getParentId());
$content .= '<tr>';
$content .= '<td>' . '<a href="/plugins/docman/?group_id=' . $params['group_id'] . '&action=details&id=' . $item->getId() . '">' . $item->getTitle() . '</a></td>';
$content .= '<td>' . '<a href="/plugins/docman/?group_id=' . urlencode((string) $params['group_id']) . '&action=details&id=' . urlencode((string) $item->getId()) . '">';
$content .= $hp->purify($item->getTitle());
$content .= '</a></td>';
$content .= '<td>';
if ($parent === null || $dIF->isRoot($parent)) {
$content .= '</td>';
} else {
$content .= '<a href="' . $this->defaultUrl . '&action=show&id=' . $parent->getId() . '">' . $parent->getTitle() . '</a></td>';
$content .= '<a href="' . $this->defaultUrl . '&action=show&id=' . urlencode((string) $parent->getId()) . '">';
$content .= $hp->purify($parent->getTitle());
$content .= '</a></td>';
}
$content .= '<td>' . $hp->purify($uH->getDisplayNameFromUserId($row['user_id'])) . '</td>';
$content .= '<td>' . format_date($GLOBALS['Language']->getText('system', 'datefmt'), $row['lock_date']) . '</td>';
Expand Down

0 comments on commit c947975

Please sign in to comment.