Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix to XSS in the template creation process
  • Loading branch information
iglocska committed Jul 1, 2015
1 parent 415d851 commit 812ac87
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/View/Templates/add.ctp
Expand Up @@ -56,7 +56,7 @@ var selectedTags = [];
var allTags = [
<?php
foreach ($tagInfo as $tag) {
echo "{'id' : '" . $tag['Tags']['id'] . "', 'name' : '" . $tag['Tags']['name'] . "', 'colour' : '" . $tag['Tags']['colour'] . "'},";
echo "{'id' : '" . h($tag['Tags']['id']) . "', 'name' : '" . h($tag['Tags']['name']) . "', 'colour' : '" . h($tag['Tags']['colour']) . "'},";
}
?>
];
Expand Down
2 changes: 1 addition & 1 deletion app/View/Templates/edit.ctp
Expand Up @@ -63,7 +63,7 @@ var selectedTags = [
var allTags = [
<?php
foreach ($tagInfo as $tag) {
echo "{'id' : '" . $tag['Tags']['id'] . "', 'name' : '" . $tag['Tags']['name'] . "', 'colour' : '" . $tag['Tags']['colour'] . "'},";
echo "{'id' : '" . h($tag['Tags']['id']) . "', 'name' : '" . h($tag['Tags']['name']) . "', 'colour' : '" . h($tag['Tags']['colour']) . "'},";
}
?>
];
Expand Down
6 changes: 6 additions & 0 deletions app/webroot/js/ajaxification.js
Expand Up @@ -904,7 +904,13 @@ function templateFileHiddenAdd(files, element_id, batch) {
}
}

function htmlEncode(value){
return $('<div/>').text(value).html();
}

function templateAddFileBubble(element_id, iframe, filename, tmp_name, batch) {
filename = htmlEncode(filename);
tmp_name = htmlEncode(tmp_name);
if (batch == 'no') {
if (iframe == true) {
$('#filenames_' + element_id, window.parent.document).html('<div id ="' + tmp_name + '_container" class ="template_file_box_container"><span class="tagFirstHalf template_file_box">' + filename + '</span><span onClick="templateDeleteFileBubble(\'' + filename + '\', \'' + tmp_name + '\', \'' + element_id + '\', \'normal\', \'no\');" class="tagSecondHalf useCursorPointer">x</span></div>');
Expand Down

0 comments on commit 812ac87

Please sign in to comment.