Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed issue #18883: [security] Stored XSS vulnerability in user profi… 
…le (#3247)
  • Loading branch information
@ptelu
ptelu committed Jun 23, 2023
1 parent 46e2bb6 commit 6e5a576
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 16 deletions.
2 changes: 1 addition & 1 deletion application/extensions/admin/grid/GridActionsWidget/views/action_dropdown.php
View file
Expand Up @@ -20,7 +20,7 @@ class="dropdown-item <?= $enabledCondition ? "" : "disabled" ?> <?= $dropdownIte
role="button"
<?php if (isset($dropdownItem['linkAttributes']) && is_array($dropdownItem['linkAttributes'])) : ?>
<?php foreach ($dropdownItem['linkAttributes'] as $attribute => $value) : ?>
<?= "$attribute='$value'" ?>
<?= $attribute . '=' . $value ?>
<?php endforeach; ?>
<?php endif; ?>>
<?php if (isset($dropdownItem['iconClass'])) : ?>
Expand Down
25 changes: 13 additions & 12 deletions application/models/TemplateConfiguration.php
View file
Expand Up @@ -718,9 +718,10 @@ public function getButtons()
return '';
}
}
$templateName = CHtml::encode($this->template_name);
$sEditorUrl = App()->getController()->createUrl(
'admin/themes/sa/view',
array("templatename" => $this->template_name)
array("templatename" => $templateName)
);
$sExtendUrl = App()->getController()->createUrl('admin/themes/sa/templatecopy');
$sOptionUrl = (App()->getController()->action->id == "surveysgroups") ?
Expand All @@ -740,7 +741,7 @@ public function getButtons()
$dropdownItems[] = [
'title' => gT('Theme editor'),
'url' => $sEditorUrl,
'linkId' => 'template_editor_link_' . $this->template_name,
'linkId' => 'template_editor_link_' . $templateName,
'linkClass' => '',
'iconClass' => 'ri-brush-fill',
'enabledCondition' => App()->getController()->action->id !== "surveysgroups",
Expand All @@ -750,7 +751,7 @@ public function getButtons()
$dropdownItems[] = [
'title' => gT('Theme options'),
'url' => $sOptionUrl,
'linkId' => 'template_options_link_' . $this->template_name ,
'linkId' => 'template_options_link_' . $templateName ,
'linkClass' => '',
'iconClass' => 'ri-dashboard-3-fill',
'enabledCondition' => $this->getHasOptionPage(),
Expand All @@ -760,19 +761,19 @@ public function getButtons()
$dropdownItems[] = [
'title' => gT('Extend'),
'url' => $sExtendUrl,
'linkId' => 'extendthis_' . $this->template_name,
'linkId' => 'extendthis_' . $templateName,
'linkClass' => 'selector--ConfirmModal ',
'iconClass' => 'ri-file-copy-line text-success',
'enabledCondition' => App()->getController()->action->id !== "surveysgroups",
'linkAttributes' => [
'title' => sprintf(gT('Type in the new name to extend %s'), $this->template_name),
'title' => sprintf(gT('Type in the new name to extend %s'), $templateName),
'data-button-no' => gt('Cancel'),
'data-button-yes' => gt('Extend'),
'data-text' => gT('Please type in the new theme name above.'),
'data-post' => json_encode([
"copydir" => $this->template_name,
"copydir" => $templateName,
"action" => "templatecopy",
"newname" => [ "value" => "extends_" . $this->template_name,
"newname" => [ "value" => "extends_" . $templateName,
"type" => "text",
"class" => "form-control col-md-12" ]
]),
Expand All @@ -783,26 +784,26 @@ public function getButtons()
$dropdownItems[] = [
'title' => gT('Uninstall'),
'url' => $sUninstallUrl,
'linkId' => 'remove_fromdb_link_' . $this->template_name,
'linkId' => 'remove_fromdb_link_' . $templateName,
'linkClass' => 'selector--ConfirmModal ',
'iconClass' => 'ri-delete-bin-fill text-danger',
'enabledCondition' => App()->getController()->action->id !== "surveysgroups" &&
$this->template_name != App()->getConfig('defaulttheme'),
$templateName != App()->getConfig('defaulttheme'),
'linkAttributes' => [
'title' => gT('Uninstall this theme'),
'data-button-no' => gt('Cancel'),
'data-button-yes' => gt('Uninstall'),
'data-text' => gT('This will reset all the specific configurations of this theme.')
. '<br>' . gT('Do you want to continue?'),
'data-post' => json_encode([ "templatename" => $this->template_name ]),
'data-post' => json_encode([ "templatename" => $templateName ]),
'data-button-type' => "btn-danger"
]
];

$dropdownItems[] = [
'title' => gT('Reset'),
'url' => $sResetUrl,
'linkId' => 'remove_fromdb_link_' . $this->template_name,
'linkId' => 'remove_fromdb_link_' . $templateName,
'linkClass' => 'selector--ConfirmModal ',
'iconClass' => 'ri-refresh-line text-warning',
'enabledCondition' => App()->getController()->action->id !== "surveysgroups",
Expand All @@ -811,7 +812,7 @@ public function getButtons()
'data-button-no' => gt('Cancel'),
'data-button-yes' => gt('Reset'),
'data-text' => gT('This will reload the configuration file of this theme.') . '<br>' . gT('Do you want to continue?'),
'data-post' => json_encode([ "templatename" => $this->template_name ]),
'data-post' => json_encode([ "templatename" => $templateName ]),
'data-button-type' => "btn-warning"
]
];
Expand Down
6 changes: 3 additions & 3 deletions application/models/User.php
View file
Expand Up @@ -568,7 +568,7 @@ public function getManagementButtons()
'data-bs-target' => '#confirmation-modal',
'data-url' => $changeOwnershipUrl,
'data-userid' => $this->uid,
'data-user' => $this->full_name,
'data-user' => CHtml::encode($this->full_name),
'data-action' => 'deluser',
'data-onclick' => "LS.UserManagement.triggerRunAction(\"#UserManagement--takeown-$this->uid\")",
'data-message' => gT('Do you want to take ownerschip of this user?'),
Expand Down Expand Up @@ -933,8 +933,8 @@ public function getGroupMemberListButtons()
'data-post-datas' => json_encode(['ugid' => $userGroupId, 'uid' => $currentUserId]),
'data-message' => sprintf(
gT("Are you sure you want to delete user '%s' from usergroup '%s'?"),
$this->users_name,
$userGroup->name
CHtml::encode($this->users_name),
CHtml::encode($userGroup->name)
),
'data-bs-target' => "#confirmation-modal"
]
Expand Down

0 comments on commit 6e5a576

Please sign in to comment.