Vulnerabilities fixed, thanks to huntr.dev

system/controllers/admin/actions/menu_tree_ajax.php

@@ -25,7 +25,7 @@ public function run() {
         if ($items) {
             foreach ($items as $item) {
                 $tree_nodes[] = [
-                    'title'  => $item['title'],
+                    'title'  => html($item['title'], false),
                     'key'    => "{$menu_id}.{$item['id']}",
                     'isLazy' => ($item['childs_count'] > 0)
                 ];

system/controllers/tags/actions/autocomplete.php

@@ -12,13 +12,13 @@ public function run() {
 
         $result = [];
 
-        $term = $this->request->get('term', '');
+        $term = strip_tags($this->request->get('term', ''));
         if (!$term) {
             return $this->cms_template->renderJSON($result);
         }
 
         $tags = $this->model->filterLike('tag', "%{$term}%")->
-                select("(LEFT(`tag`, " . mb_strlen($term) . ") = '{$term}')", 'tag_order')->
+                select("(LEFT(`tag`, " . mb_strlen($term) . ") = '".$this->model->db->escape($term)."')", 'tag_order')->
                 orderByList([
                     ['by' => 'tag_order', 'to' => 'desc', 'strict' => true],
                     ['by' => 'tag', 'to' => 'asc']

system/core/user.php

@@ -277,13 +277,15 @@ public static function autoLogin($auth_token) {
      * @param boolean $complete_login
      * @return integer|array
      */
-    public static function login($email, $password, $remember = false, $complete_login = true) {
+    public static function login($email, $password, $remember = false, $complete_login = true, $model = null) {
 
         if (!$email || !$password) {
             return 0;
         }
 
-        $model = cmsCore::getModel('users');
+        if($model === null) {
+            $model = cmsCore::getModel('users');
+        }
 
         $user = $model->getUserByAuth($email, $password);
 

system/fields/string.php

@@ -140,6 +140,15 @@ public function store($value, $is_submitted, $old_value = null) {
         }
 
         if ($this->getProperty('is_clean_disable') === true) {
+
+            // Разрешены HTML теги, - прогоняем через типограф
+            $value = cmsEventsManager::hook('html_filter', [
+                'text'                => $value,
+                'is_auto_br'          => false,
+                'build_smiles'        => false,
+                'build_redirect_link' => false
+            ]);
+
             return trim($value, " \0");
         }
 

system/libs/template.helper.php

@@ -63,7 +63,7 @@ function html_pagebar($page, $perpage, $total, $base_uri = false, $query = [], $
  */
 function html_input($type = 'text', $name = '', $value = '', $attributes = []) {
 
-    if ($type === 'password') {
+    if ($type === 'password' && empty($attributes['autocomplete'])) {
         $attributes['autocomplete'] = 'off';
     }
     $attributes['type']  = $type;

templates/admincoreui/assets/ui/form.tpl.php

@@ -4,7 +4,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       class="<?php html($attributes['form_class']); ?><?php if ($this->controller->request->isAjax()){ ?> ajax-form<?php } ?>"
       enctype="multipart/form-data"

templates/admincoreui/assets/ui/grid-perms.tpl.php

@@ -2,7 +2,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form action="<?php echo $submit_url; ?>" method="post">
+<form action="<?php html($submit_url); ?>" method="post">
 
     <div class="datagrid_wrapper perms_grid table-responsive dataTables_wrapper dt-bootstrap4">
         <table id="datagrid" class="datagrid table table-striped table-bordered dataTable bg-white">

templates/admincoreui/controllers/admin/menu.tpl.php

@@ -28,7 +28,7 @@
             <ul id="treeData" class="skeleton-tree">
                 <?php foreach ($menus as $id => $menu) { ?>
                     <li id="<?php echo $menu['id'];?>.0" class="lazy folder">
-                        <?php echo $menu['title']; ?>
+                        <?php html($menu['title']); ?>
                     </li>
                 <?php } ?>
             </ul>

templates/default/assets/ui/confirm.tpl.php

@@ -1,6 +1,6 @@
 <div class="modal_padding">
     <h3><?php echo $confirm_title; ?></h3>
-    <form action="<?php echo $confirm_action; ?>" method="post" onsubmit="$(this).find('.button-submit').addClass('disabled is-busy');">
+    <form action="<?php html($confirm_action); ?>" method="post" onsubmit="$(this).find('.button-submit').addClass('disabled is-busy');">
         <?php echo html_csrf_token(); ?>
         <?php echo html_input('hidden', 'back', $this->controller->request->get('back', '')); ?>
         <?php echo html_submit(LANG_CONFIRM); ?>

templates/default/assets/ui/filter-panel.tpl.php

@@ -10,7 +10,7 @@
 		<div class="filter-close">
             <a href="javascript:toggleFilter();"><span><?php echo LANG_CLOSE; ?></span></a>
         </div>
-        <form action="<?php echo $form_url; ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
+        <form action="<?php html($form_url); ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
             <?php echo html_input('hidden', 'page', 1); ?>
             <?php if(!empty($ext_hidden_params)){ ?>
                 <?php foreach($ext_hidden_params as $fname => $fvalue){ ?>

templates/default/assets/ui/form.tpl.php

@@ -5,7 +5,7 @@
     </div>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       <?php if ($this->controller->request->isAjax()){ ?>
         class="modal"

templates/default/assets/ui/grid-perms.tpl.php

@@ -5,7 +5,7 @@
 <?php } ?>
 
 
-<form action="<?php echo $submit_url; ?>" method="post">
+<form action="<?php html($submit_url); ?>" method="post">
 
     <div class="datagrid_wrapper perms_grid">
         <table id="datagrid" class="datagrid" cellpadding="0" cellspacing="0" border="0">

templates/modern/assets/ui/filter-panel.tpl.php

@@ -16,7 +16,7 @@
         <button type="button" class="close position-absolute icms-filter-link__close" title="<?php echo LANG_CLOSE; ?>">
             <span>&times;</span>
         </button>
-        <form action="<?php echo $form_url; ?>" method="get" id="<?php echo $form_id; ?>" accept-charset="utf-8">
+        <form action="<?php html($form_url); ?>" method="get" id="<?php html($form_id); ?>" accept-charset="utf-8">
             <?php echo html_input('hidden', 'page', 1); ?>
             <?php if(!empty($ext_hidden_params)){ ?>
                 <?php foreach($ext_hidden_params as $fname => $fvalue){ ?>

templates/modern/assets/ui/form.tpl.php

@@ -3,7 +3,7 @@
     <?php $this->toolbar('menu-toolbar'); ?>
 <?php } ?>
 
-<form id="<?php html($attributes['form_id']); ?>" action="<?php echo $attributes['action']; ?>"
+<form id="<?php html($attributes['form_id']); ?>" action="<?php html($attributes['action']); ?>"
       method="<?php echo $attributes['method']; ?>"
       class="<?php html($attributes['form_class']); ?><?php if ($this->controller->request->isAjax()){ ?> ajax-form<?php } ?>"
       enctype="multipart/form-data"