Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed issue #18967: [security] User can add malicious content in User…
… Roles (#3292)
  • Loading branch information
Shnoulle committed Jul 26, 2023
1 parent 61c3d5a commit e4ce838
Show file tree
Hide file tree
Showing 7 changed files with 8 additions and 8 deletions.
2 changes: 1 addition & 1 deletion application/models/Permissiontemplates.php
Expand Up @@ -214,7 +214,7 @@ public function getButtons(): string
'data-bs-toggle' => "modal",
'data-post-url' => $deleteUrl,
'data-post-datas' => $deletePostData,
'data-message' => sprintf(gt("Are you sure you want to delete user role '%s'?"), $this->name),
'data-message' => sprintf(gt("Are you sure you want to delete user role '%s'?"), CHtml::encode($this->name)),
'data-bs-target' => "#confirmation-modal",
'data-btnclass' => 'btn-danger',
'data-btntext' => gt('Delete'),
Expand Down
2 changes: 1 addition & 1 deletion application/views/userRole/edit.php
Expand Up @@ -8,7 +8,7 @@
<?php if($model->isNewRecord) {
echo gT('Create permission roles');
} else {
echo sprintf(gT('Update permission roles %s'), $model->name);
echo sprintf(gT('Update permission roles %s'), CHtml::encode($model->name));
}?>
</div>
<div class="col-12 ls-space margin top-15">
Expand Down
2 changes: 1 addition & 1 deletion application/views/userRole/partials/_form.php
Expand Up @@ -8,7 +8,7 @@
$modalTitle = gT('Create permission role');
$buttonTitle = gT('Create');
} else {
$modalTitle = sprintf(gT("Edit permission role '%s'"), $model->name);
$modalTitle = sprintf(gT("Edit permission role '%s'"), CHtml::encode($model->name));
$buttonTitle = gT('Save');
}
Yii::app()->getController()->renderPartial(
Expand Down
4 changes: 2 additions & 2 deletions application/views/userRole/partials/_view.php
Expand Up @@ -4,15 +4,15 @@
?>

<div class="modal-header">
<h5 class="modal-title" id="modalTitle-addedit"><?= sprintf(gT('Permission role %s'), $oModel->name); ?></h5>
<h5 class="modal-title" id="modalTitle-addedit"><?= sprintf(gT('Permission role %s'), CHtml::encode($oModel->name)); ?></h5>
<button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
</div>
<div class="modal-body">
<div class="row">
<div class="col-12">
<div class="card">
<div class="col-12 card-body">
<?= $oModel->description ?>
<?= CHtml::encode($oModel->description) ?>
</div>
</div>
</div>
Expand Down
2 changes: 1 addition & 1 deletion assets/packages/adminbasics/build/adminbasics.js
Expand Up @@ -17886,7 +17886,7 @@
//Current options object
const options = _parseOptions(e);
//Set the message if available
$(this).find('.modal-body-text').html(options.message);
$(this).find('.modal-body-text').text(options.message);
//first remove both classes
$(this).find('.btn-ok').removeClass("btn-primary btn-danger");
if (options.btnclass !== null) {
Expand Down
2 changes: 1 addition & 1 deletion assets/packages/adminbasics/build/adminbasics.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion assets/packages/adminbasics/src/parts/confirmationModal.js
Expand Up @@ -112,7 +112,7 @@ const ConfirmationModal = function(e){
//Current options object
const options = _parseOptions(e);
//Set the message if available
$(this).find('.modal-body-text').html(options.message);
$(this).find('.modal-body-text').text(options.message);
//first remove both classes
$(this).find('.btn-ok').removeClass("btn-primary btn-danger");
if (options.btnclass !== null) {
Expand Down

0 comments on commit e4ce838

Please sign in to comment.