Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XSS (exploitable only by chairs) reported by Xiangyu Gao.
  • Loading branch information
kohler committed Dec 24, 2022
1 parent 4a96165 commit d4ffdb0
Show file tree
Hide file tree
Showing 7 changed files with 13 additions and 7 deletions.
2 changes: 1 addition & 1 deletion src/api/api_decision.php
Expand Up @@ -18,7 +18,7 @@ static function run(Contact $user, Qrequest $qreq, PaperInfo $prow) {
$prow->load_decision();
}
$dec = $prow->viewable_decision($user);
$jr = new JsonResult(["ok" => true, "value" => $dec->id, "result" => htmlspecialchars($dec->name)]);
$jr = new JsonResult(["ok" => true, "value" => $dec->id, "result" => $dec->name_as(5)]);
if ($user->can_set_decision($prow)) {
$jr->content["editable"] = true;
}
Expand Down
2 changes: 1 addition & 1 deletion src/assigners/a_decision.php
Expand Up @@ -109,7 +109,7 @@ static function make(AssignmentItem $item, AssignmentState $state) {
static function decision_html(Conf $conf, $decid) {
$dec = $conf->decision_set()->get($decid);
$class = $dec->status_class();
$name_h = htmlspecialchars($dec->id === 0 ? "No decision" : $dec->name);
$name_h = $dec->id === 0 ? "No decision" : $dec->name_as(5);
return "<span class=\"pstat {$class}\">{$name_h}</span>";
}
function unparse_display(AssignmentSet $aset) {
Expand Down
6 changes: 6 additions & 0 deletions src/decisioninfo.php
Expand Up @@ -52,6 +52,12 @@ static function make_placeholder($id) {
return $dec;
}

/** @param 0|5 $format
* @return string */
function name_as($format) {
return $format === 5 ? htmlspecialchars($this->name) : $this->name;
}

/** @return string */
function status_class() {
return self::$class_name[$this->category] ?? "dec-maybe";
Expand Down
2 changes: 1 addition & 1 deletion src/help/h_keywords.php
Expand Up @@ -198,7 +198,7 @@ static function print(HelpRenderer $hth) {
if (strpos($qdname, " ") !== false) {
$qdname = "\"{$qdname}\"";
}
echo $hth->search_trow("dec:{$qdname}", "decision is “" . htmlspecialchars($dec->name) . "” (partial matches OK)");
echo $hth->search_trow("dec:{$qdname}", "decision is “" . $dec->name_as(5) . "” (partial matches OK)");
break;
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/listactions/la_decide.php
Expand Up @@ -9,7 +9,7 @@ function allow(Contact $user, Qrequest $qreq) {
static function render(PaperList $pl, Qrequest $qreq) {
$opts = [];
foreach ($pl->conf->decision_set() as $dec) {
$opts[$dec->id] = $dec->name;
$opts[$dec->id] = $dec->name_as(5);
}
return ["Set to &nbsp;"
. Ht::select("decision", $opts, "", ["class" => "want-focus js-submit-action-info-decide"])
Expand Down
2 changes: 1 addition & 1 deletion src/mailrecipients.php
Expand Up @@ -147,7 +147,7 @@ function set_recipients($type) {
foreach ($this->conf->decision_set() as $dec) {
if ($dec->id !== 0) {
$hide = ($this->_dcounts[$dec->id] ?? 0) === 0;
$this->defsel("dec:{$dec->name}", "Contact authors of " . htmlspecialchars($dec->name) . " papers", $hide ? self::F_HIDE : 0);
$this->defsel("dec:{$dec->name}", "Contact authors of " . $dec->name_as(5) . " papers", $hide ? self::F_HIDE : 0);
}
}
$this->defsel("dec:yes", "Contact authors of accept-class papers", $this->_has_dt[2] ? 0 : self::F_HIDE);
Expand Down
4 changes: 2 additions & 2 deletions src/papertable.php
Expand Up @@ -1547,13 +1547,13 @@ function papstripOutcomeSelector() {
}
$opts = [];
foreach ($this->conf->decision_set() as $dec) {
$opts[$dec->id] = $dec->name;
$opts[$dec->id] = $dec->name_as(5);
}
echo Ht::select("decision", $opts,
(string) $this->prow->outcome,
["class" => "w-99 want-focus", "id" => $id]),
'</form><p class="fn odname js-psedit-result">',
htmlspecialchars($this->prow->decision()->name),
$this->prow->decision()->name_as(5),
"</p></div>\n";
}

Expand Down

0 comments on commit d4ffdb0

Please sign in to comment.