Merge remote-tracking branch 'basercms-GHSA-395x-wv32-44v5/advisory-f…

…ix-1' into dev-4
baserproject · Nov 24, 2022 · b6f8a54 · b6f8a54
2 parents ed3dae0 + 19d075b
commit b6f8a54
Show file tree

Hide file tree

Showing 10 changed files with 10 additions and 10 deletions.
diff --git a/app/webroot/theme/admin-third/Elements/admin/dblogs/index_row.php b/app/webroot/theme/admin-third/Elements/admin/dblogs/index_row.php
@@ -22,7 +22,7 @@ class="bca-table-listup__tbody-td"
 		<?= Hash::get($row, 'Dblog.id') ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
-		<?= Hash::get($row, 'Dblog.name') ?>
+		<?= h(Hash::get($row, 'Dblog.name')) ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
 		<?php if ($row['Dblog']['user_id']): ?>

diff --git a/app/webroot/theme/admin-third/Elements/admin/favorite_menu_row.php b/app/webroot/theme/admin-third/Elements/admin/favorite_menu_row.php
@@ -21,7 +21,7 @@
 	<?php $this->BcBaser->link(
 		'<span class="bca-nav-favorite-list-item-label">' . h($favorite['Favorite']['name']) . '</span>',
 		$favorite['Favorite']['url'],
-		['title' => Router::url($favorite['Favorite']['url'], true)]
+		['title' => h(Router::url($favorite['Favorite']['url'], true))]
 	) ?>
 	<?php echo $this->BcForm->input('Favorite.id.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['id'], 'class' => 'favorite-id']) ?>
 	<?php echo $this->BcForm->input('Favorite.name.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['name'], 'class' => 'favorite-name']) ?>

diff --git a/app/webroot/theme/admin-third/Elements/admin/permissions/index_row.php b/app/webroot/theme/admin-third/Elements/admin/permissions/index_row.php
@@ -39,7 +39,7 @@
 	<td class="bca-table-listup__tbody-td">
 		<?php $this->BcBaser->link($data['Permission']['name'], ['action' => 'edit', $this->request->params['pass'][0], $data['Permission']['id']], ['escape' => true]) ?>
 		<br>
-		<?php echo $data['Permission']['url']; ?>
+		<?php echo h($data['Permission']['url']); ?>
 	</td>
 	<td class="bca-table-listup__tbody-td"><?php echo $this->BcText->arrayValue($data['Permission']['auth'], [0 => '×', 1 => '〇']) ?></td>
 	<?php echo $this->BcListTable->dispatchShowRow($data) ?>

diff --git a/app/webroot/theme/admin-third/Permissions/admin/form.php b/app/webroot/theme/admin-third/Permissions/admin/form.php
@@ -30,7 +30,7 @@
 			<th class="col-head bca-form-table__label"><?php echo $this->BcForm->label('Permission.user_group_id', __d('baser', 'ユーザーグループ')) ?></th>
 			<td class="col-input bca-form-table__input">
 				<?php $userGroups = $this->BcForm->getControlSource('user_group_id') ?>
-				<?php echo $userGroups[$this->BcForm->value('Permission.user_group_id')] ?>
+				<?php echo h($userGroups[$this->BcForm->value('Permission.user_group_id')]) ?>
 				<?php echo $this->BcForm->input('Permission.user_group_id', ['type' => 'hidden']) ?>
 			</td>
 		</tr>

diff --git a/app/webroot/theme/admin-third/Users/admin/form.php b/app/webroot/theme/admin-third/Users/admin/form.php
@@ -100,7 +100,7 @@ class="helptext"><?php echo __d('baser', 'ニックネームを設定してい
 					<div id="helptextUserGroupId"
 						 class="helptext"><?php echo sprintf(__d('baser', 'ユーザーグループごとにコンテンツへのアクセス制限をかける場合などには%sより新しいグループを追加しアクセス制限の設定をおこないます。'), $this->BcBaser->getLink(__d('baser', 'ユーザーグループ管理'), ['controller' => 'user_groups', 'action' => 'index'])) ?></div>
 				<?php else: ?>
-					<?php echo $this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups) ?>
+					<?php echo h($this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups)) ?>
 					<?php echo $this->BcForm->input('User.user_group_id', ['type' => 'hidden']) ?>
 				<?php endif ?>
 			</td>

diff --git a/lib/Baser/View/Elements/admin/dblogs/index_row.php b/lib/Baser/View/Elements/admin/dblogs/index_row.php
@@ -22,7 +22,7 @@ class="bca-table-listup__tbody-td"
 		<?= Hash::get($row, 'Dblog.id') ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
-		<?= Hash::get($row, 'Dblog.name') ?>
+		<?= h(Hash::get($row, 'Dblog.name')) ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
 		<?php if ($row['Dblog']['user_id']): ?>

diff --git a/lib/Baser/View/Elements/admin/favorite_menu_row.php b/lib/Baser/View/Elements/admin/favorite_menu_row.php
@@ -18,7 +18,7 @@
 
 <li id="FavoriteRow<?php echo h($favorite['Favorite']['name']) ?>">
 	<?php $favorite['Favorite']['url'] = preg_replace('/^\/admin\//', '/' . BcUtil::getAdminPrefix() . '/', $favorite['Favorite']['url']) ?>
-	<?php $this->BcBaser->link(h($favorite['Favorite']['name']), $favorite['Favorite']['url'], ['title' => Router::url($favorite['Favorite']['url'], true)]) ?>
+	<?php $this->BcBaser->link(h($favorite['Favorite']['name']), $favorite['Favorite']['url'], ['title' => h(Router::url($favorite['Favorite']['url']), true)]) ?>
 	<?php echo $this->BcForm->input('Favorite.id.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['id'], 'class' => 'favorite-id']) ?>
 	<?php echo $this->BcForm->input('Favorite.name.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['name'], 'class' => 'favorite-name']) ?>
 	<?php echo $this->BcForm->input('Favorite.url.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['url'], 'class' => 'favorite-url']) ?>

diff --git a/lib/Baser/View/Elements/admin/permissions/index_row.php b/lib/Baser/View/Elements/admin/permissions/index_row.php
@@ -43,7 +43,7 @@ class="sort-handle"><?php $this->BcBaser->img('admin/sort.png', ['alt' => __d('b
 	<td style="width:55%">
 		<?php $this->BcBaser->link($data['Permission']['name'], ['action' => 'edit', $this->request->params['pass'][0], $data['Permission']['id']], ['escape' => true]); ?>
 		<br/>
-		<?php echo $data['Permission']['url']; ?>
+		<?php echo h($data['Permission']['url']); ?>
 	</td>
 	<td style="width:10%"
 		class="align-center"><?php echo $this->BcText->arrayValue($data['Permission']['auth'], [0 => '×', 1 => '○']) ?></td>

diff --git a/lib/Baser/View/Permissions/admin/form.php b/lib/Baser/View/Permissions/admin/form.php
@@ -30,7 +30,7 @@
 			<th class="col-head"><?php echo $this->BcForm->label('Permission.user_group_id', __d('baser', 'ユーザーグループ')) ?></th>
 			<td class="col-input">
 				<?php $userGroups = $this->BcForm->getControlSource('user_group_id') ?>
-				<?php echo $userGroups[$this->BcForm->value('Permission.user_group_id')] ?>
+				<?php echo h($userGroups[$this->BcForm->value('Permission.user_group_id')]) ?>
 				<?php echo $this->BcForm->input('Permission.user_group_id', ['type' => 'hidden']) ?>
 			</td>
 		</tr>

diff --git a/lib/Baser/View/Users/admin/form.php b/lib/Baser/View/Users/admin/form.php
@@ -99,7 +99,7 @@ class="helptext"><?php echo __d('baser', 'ニックネームを設定してい
 					<div id="helptextUserGroupId"
 						 class="helptext"> <?php echo sprintf(__d('baser', 'ユーザーグループごとにコンテンツへのアクセス制限をかける場合などには%sより新しいグループを追加しアクセス制限の設定をおこないます。'), $this->BcBaser->getLink(__d('baser', 'ユーザーグループ管理'), ['controller' => 'user_groups', 'action' => 'index'])) ?></div>
 				<?php else: ?>
-					<?php echo $this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups) ?>
+					<?php echo h($this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups)) ?>
 					<?php echo $this->BcForm->input('User.user_group_id', ['type' => 'hidden']) ?>
 				<?php endif ?>
 			</td>