Merge pull request #12 from gpsietzema/development

Fixed XSS vulnerability #11
Sterc · Mar 9, 2017 · 855d956 · 855d956
2 parents 7970f26 + 27d948d
commit 855d956
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 16 deletions.
diff --git a/config.core.php b/config.core.php
@@ -1,4 +1,3 @@
 <?php
-define('MODX_CORE_PATH', dirname(dirname(__FILE__)).'/core/');
-define('MODX_CONFIG_KEY', 'config');
-?>
+define('MODX_CORE_PATH', '/var/www/vhosts/modx2/corDvn78h87wvse/');
+define('MODX_CONFIG_KEY', 'config');
diff --git a/core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl b/core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl
@@ -54,7 +54,7 @@
 
 	            <thead>
 	            <tr>
-	                <th>{$_langs.sources}</th>
+	                <th>{$_langs.sources|escape:"html"}</th>
 	                <th>{$_langs.visits}</th>
 	                <th>% {$_langs.new_visits}</th>
 	            </tr>
@@ -64,7 +64,7 @@
 	            {foreach from=$toptrafficsource.rows item=toptraffic}
 		            {if $i == 5}{break}{/if}
 			            <tr class="{cycle values=',odd'}">
-			                    <td>{$toptraffic.0}</td>
+			                    <td>{$toptraffic.0|escape:"html"}</td>
 			                    <td>{$toptraffic.1}</td>
 			                    <td>{$toptraffic.5|number_format:2:",":"."} %</td>
 			            </tr>
@@ -79,7 +79,7 @@
             <table class="classy" style="width: 48%; float:left; margin-right:2%;">
 	            <thead>
 	            <tr>
-	                <th>{$_langs.keywords}</th>
+	                <th>{$_langs.keywords|escape:"html"}</th>
 	                <th>{$_langs.visits}</th>
 	                <th>% {$_langs.new_visits}</th>
 	            </tr>
@@ -91,7 +91,7 @@
 		            {if $keyword.keyword != '(not set)'}
 			            {if $i == 5}{break}{/if}
 			            <tr class="{cycle values=',odd'}">
-				                    <td>{$keyword.0}</td>
+				                    <td>{$keyword.0|escape:"html"}</td>
 				                    <td>{$keyword.1}</td>
 				                    <td>{$keyword.3|number_format:2:",":"."} %</td>
 				            </tr>
@@ -110,7 +110,7 @@
 
             <thead>
             <tr>
-                <th>{$_langs.sources}</th>
+                <th>{$_langs.sources|escape:"html"}</th>
                 <th>{$_langs.visits}</th>
                 <th>{$_langs.pages_visits}</th>
                 <th>{$_langs.average_site_time}</th>
@@ -125,7 +125,7 @@
                  {if $i == 10}{break}{/if}
 
             <tr class="{cycle values=',odd'}">
-                    <td>{$trafficreffered.0}</td>
+                    <td>{$trafficreffered.0|escape:"html"}</td>
                     <td>{$trafficreffered.1}</td>
                     <td>{$trafficreffered.3|number_format:2:",":"."} %</td>
                     <td>{$trafficreffered.4|number_format:2}</td>
@@ -150,7 +150,7 @@
             <table class="classy" style="width: 100%;">
         <thead>
         <tr>
-            <th style="width: 40%;">{$_langs.page}</th>
+            <th style="width: 40%;">{$_langs.page|escape:"html"}</th>
             <th style="width: 20%;">{$_langs.entrances}</th>
             <th style="width: 20%;">{$_langs.bounces}</th>
             <th style="width: 20%;">{$_langs.bounce_rate}</th>
@@ -161,7 +161,7 @@
         {foreach from=$toplandingspages.rows item=toppage}
         {if $i == 10}{break}{/if}
         <tr class="{cycle values=',odd'}">
-                <td>{$toppage.0}</td>
+                <td>{$toppage.0|escape:"html"}</td>
                 <td>{$toppage.1}</td>
                 <td>{$toppage.2}</td>
                 <td>{$toppage.3|number_format:2:",":"."} %</td>
@@ -232,7 +232,7 @@
             <table class="classy" style="width: 100%;">
         <thead>
         <tr>
-            <th>{$_langs.keywords}</th>
+            <th>{$_langs.keywords|escape:"html"}</th>
             <th>{$_langs.visits}</th>
             <th>{$_langs.pages_visits}</th>
             <th>{$_langs.average_site_time}</th>
@@ -246,7 +246,7 @@
          {if $keyword.keyword != '(not set)'}
          {if $i == 20}{break}{/if}
         <tr class="{cycle values=',odd'}">
-                <td>{$keyword.0}</td>
+                <td>{$keyword.0|escape:"html"}</td>
                 <td>{$keyword.1}</td>
                 <td>{$keyword.2|number_format:2:",":"."} %</td>
                 <td>{$keyword.3|number_format:2}</td>
@@ -268,7 +268,7 @@
             <table class="classy" style="width: 100%;">
         <thead>
         <tr>
-            <th>{$_langs.search_keyword}</th>
+            <th>{$_langs.search_keyword|escape:"html"}</th>
             <th>{$_langs.search_uniques}</th>
             <th>{$_langs.search_result_views}</th>
             <th>% {$_langs.search_exits}</th>
@@ -281,7 +281,7 @@
          {foreach from=$sitesearches.rows item=sitesearch}
          {if $i == 20}{break}{/if}
         <tr class="{cycle values=',odd'}">
-                <td>{$sitesearch.0}</td>
+                <td>{$sitesearch.0|escape:"html"}</td>
                 <td>{$sitesearch.1}</td>
                 <td>{$sitesearch.2}</td>
                 <td>{$sitesearch.3|number_format:2:",":"."}  %</td>

diff --git a/core/components/analyticsdashboardwidget/processors/data.php b/core/components/analyticsdashboardwidget/processors/data.php
@@ -14,7 +14,8 @@
 if(isset($analytics)){
 	if($format == 'json'){
 		if(in_array($data, array('trafficsourceschararr', 'mobile', 'goalstable', 'profiles'))){
-			print(json_encode($analytics[$data]));
+		    $data = $analytics[$data];
+			print(json_encode($data));
 		}else{
 			print(json_encode($analytics[$data]['rows']));
 		}