Skip to content

Commit

Permalink
[BF] Fix a number of XSS issues
Browse files Browse the repository at this point in the history 
Thanks to the GRNET IT Security Team for responsibly disclosing these issues.
  • Loading branch information
@barryo
barryo committed Jun 20, 2023
1 parent 348a5f4 commit fddbc38
Show file tree
Hide file tree
Showing 7 changed files with 13 additions and 13 deletions.
2 changes: 1 addition & 1 deletion resources/views/console-server-connection/list-preamble.foil.php
View file
@@ -1,7 +1,7 @@
<?php if( isset($t->data[ 'params'][ "cs" ]) ): ?>
<div>
<h2>
Ports for Console Server: <?= $t->data[ 'params'][ "css" ][$t->data[ 'params'][ "cs" ] ][ 'name' ] ?><br><br>
Ports for Console Server: <?= $t->ee( $t->data[ 'params'][ "css" ][$t->data[ 'params'][ "cs" ] ][ 'name' ] ) ?><br><br>
</h2>
</div>
<?php endif;?>
4 changes: 2 additions & 2 deletions resources/views/console-server-connection/page-header-preamble.foil.php
View file
Expand Up @@ -2,7 +2,7 @@
<div class="btn-group btn-group-sm" role="group">
<div class="btn-group btn-group-sm">
<button type="button" class="btn btn-white dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<?= isset( $t->data[ 'params'][ "cs" ] ) ? $t->data[ 'params'][ "css" ][$t->data[ 'params'][ "cs" ] ][ 'name' ] : "All Console Server Ports" ?> <span class="caret"></span>
<?= isset( $t->data[ 'params'][ "cs" ] ) ? $t->ee( $t->data[ 'params'][ "css" ][$t->data[ 'params'][ "cs" ] ][ 'name' ] ) : "All Console Server Ports" ?> <span class="caret"></span>
</button>

<div class="dropdown-menu dropdown-menu-right scrollable-dropdown">
Expand All @@ -11,7 +11,7 @@
</a>
<div class="dropdown-divider"></div>
<?php foreach( $t->data[ 'params'][ "css" ] as $css ): ?>
<a class="dropdown-item <?= isset( $t->data[ 'params'][ "cs" ] ) && $t->data[ 'params'][ "cs" ] === $css[ 'id' ] ? 'active' : '' ?>" href="<?= route( "console-server-connection@listPort", [ "cs" => $css[ 'id' ] ] ) ?>"><?= $css[ 'name' ] ?></a>
<a class="dropdown-item <?= isset( $t->data[ 'params'][ "cs" ] ) && $t->data[ 'params'][ "cs" ] === $css[ 'id' ] ? 'active' : '' ?>" href="<?= route( "console-server-connection@listPort", [ "cs" => $css[ 'id' ] ] ) ?>"><?= $t->ee( $css[ 'name' ] ) ?></a>
<?php endforeach; ?>
</div>
</div>
Expand Down
2 changes: 1 addition & 1 deletion resources/views/contact/edit-form.foil.php
View file
Expand Up @@ -81,7 +81,7 @@
<div class="form-check form-check-inline">
<input id='role_<?= $role[ 'id' ] ?>' type='checkbox' name='roles[]' <?= in_array( $role[ 'id' ], $checkedRoles, false ) ? 'checked' : '' ?> value='<?= $role[ 'id' ] ?>'>
<label for="role_<?= $role[ 'id' ] ?>" class="form-check-label">
<?= $role[ 'name' ] ?>
<?= $t->ee( $role[ 'name' ] ) ?>
</label>
</div>
</div>
Expand Down
4 changes: 2 additions & 2 deletions resources/views/contact/page-header-preamble.foil.php
View file
Expand Up @@ -8,7 +8,7 @@

<?php if( config('contact_group.types.ROLE') ): ?>
<button type="button" class="btn btn-white dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<?= isset( $t->data[ 'params'][ "role" ] ) ? $t->data[ 'params'][ "roles" ][ $t->data[ 'params'][ "role" ] ][ 'name'] : "All Roles" ?>
<?= isset( $t->data[ 'params'][ "role" ] ) ? $t->ee( $t->data[ 'params'][ "roles" ][ $t->data[ 'params'][ "role" ] ][ 'name'] ) : "All Roles" ?>
</button>
<ul class="dropdown-menu dropdown-menu-right">
<a class="dropdown-item <?= isset( $t->data[ 'params'][ "role" ]) ?: "active" ?>" href="<?= route( $t->feParams->route_prefix . "@list" ) ?>">
Expand All @@ -19,7 +19,7 @@

<?php foreach( $t->data[ 'params'][ "roles" ] as $index => $role ): ?>
<a class="dropdown-item <?= isset($t->data[ 'params'][ "role" ]) && (int)$t->data[ 'params'][ "role" ] === $role[ 'id'] ? 'active' : '' ?>" href="<?= route( $t->feParams->route_prefix . "@list" ) ?>?role=<?= $role[ 'id' ] ?>">
<?= $role[ 'name' ] ?>
<?= $t->ee( $role[ 'name' ] ) ?>
</a>
<?php endforeach; ?>
</ul>
Expand Down
2 changes: 1 addition & 1 deletion resources/views/customer/overview.foil.php
View file
Expand Up @@ -156,7 +156,7 @@
<?php if( $c->tags ): ?>
<?php foreach( $c->tags as $tag ): ?>
<span class="badge badge-secondary">
<?= $tag->display_as ?>
<?= $t->ee( $tag->display_as ) ?>
</span>
<?php endforeach; ?>

Expand Down
4 changes: 2 additions & 2 deletions resources/views/customer/tag/cust.foil.php
View file
Expand Up @@ -31,11 +31,11 @@
<div class="form-check form-check-inline">
<input id='tag_<?= $tag->id ?>' type='checkbox' name='tags[]' <?= $t->c->tags->contains( 'id', $tag->id ) ? 'checked' : '' ?> value='<?= $tag->id ?>'>
<label for="tag_<?= $tag->id ?>" class="form-check-label">
<?= $tag->display_as . " (" . $tag->tag . ")" ?>
<?= $t->ee( $tag->display_as ) . " (" . $t->ee( $tag->tag ) . ")" ?>
</label>
</div>
<small class="form-text text-muted former-help-text">
<?= $tag->description ?>
<?= $t->ee( $tag->description ) ?>
</small>
</div>
</div>
Expand Down
8 changes: 4 additions & 4 deletions resources/views/log/view.foil.php
View file
Expand Up @@ -113,20 +113,20 @@
<tr>
<td>
<b>
<?= $key ?>
<?= $t->ee( $key ) ?>
</b>
</td>
<?php if( $new ): ?>
<td class="<?= isset( $changed[ $key ] ) ? 'tw-bg-gray-500': '' ?> ">
<?= $new[ $key ] ?>
<?= $t->ee( $new[ $key ] ) ?>
</td>
<?php endif; ?>
<?php if( $old ): ?>
<td>
<?php if( !is_array( $old[ $key ] ) ): ?>
<?= $old[ $key ] ?>
<?= $t->ee( $old[ $key ] ) ?>
<?php else: ?>
<?= json_encode($old[ $key ], JSON_THROW_ON_ERROR) ?>
<?= json_encode($old[ $key ], JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS|JSON_THROW_ON_ERROR) ?>
<?php endif; ?>
</td>
<?php endif; ?>
Expand Down

0 comments on commit fddbc38

Please sign in to comment.