Skip to content

Commit

Permalink
Fixed issue #18934: [security] Stored XSS in label set administration (
Browse files Browse the repository at this point in the history
…#3271)

Co-authored-by: lapiudevgit <devgit@lapiu.biz>
  • Loading branch information
gabrieljenik and lapiudevgit committed Jul 5, 2023
1 parent 40eecfa commit 184d50e
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 3 deletions.
1 change: 1 addition & 0 deletions application/helpers/admin/label_helper.php
Expand Up @@ -176,6 +176,7 @@ function modlabelsetanswers($lid)
}
}
if (count($aErrors)) {
// TODO: Show an actual error message
Yii::app()->session['flashmessage'] = gT("Not all labels were updated successfully.");
} else {
Yii::app()->session['flashmessage'] = gT("Labels successfully updated");
Expand Down
7 changes: 7 additions & 0 deletions application/models/Label.php
Expand Up @@ -65,6 +65,13 @@ public function rules()
'params' => array(':lid' => $this->lid)
),
'message' => '{attribute} "{value}" is already in use.'),
// Only alphanumeric
array(
'code',
'match',
'pattern' => '/^[[:alnum:]]*$/',
'message' => gT('Label codes may only contain alphanumeric characters.'),
),
array('sortorder', 'numerical', 'integerOnly' => true, 'allowEmpty' => true),
array('assessment_value', 'numerical', 'integerOnly' => true, 'allowEmpty' => true),
);
Expand Down
6 changes: 3 additions & 3 deletions application/views/admin/labels/labelRow.twig
Expand Up @@ -13,16 +13,16 @@
#}
<tr class="labelDatas" style='white-space: nowrap;' id='row_{{ language }}_{{ rowId }}'>
{% if not first %}
<td>{{ code }}</td>
<td>{{ code|escape }}</td>
<td>{{ assessmentValue }}</td>
{% else %}
<td>
<span class="ri-menu-fill bigIcons text-success"></span>
</td>

<td>
<input type='hidden' class='hiddencode' value='{{ code }}'/>
<input type='text' class='codeval form-control ' id='code_{{ rowId }}' name='code_{{ rowId }}' maxlength='20' size='20' value='{{ code }}'/>
<input type='hidden' class='hiddencode' value='{{ code|escape }}'/>
<input type='text' class='codeval form-control ' id='code_{{ rowId }}' name='code_{{ rowId }}' maxlength='20' size='20' value='{{ code|escape }}'/>
</td>

<td>
Expand Down

0 comments on commit 184d50e

Please sign in to comment.