Skip to content

Commit 77463eb

Browse files
committed
Prevent XSS on actionVar in header.tpl
The smarty template was reflecting the $_GET['a'] parameter without converting htmlspecialchars (was only using strip_tags)
1 parent 6b75a4d commit 77463eb

File tree

3 files changed

+6
-3
lines changed

3 files changed

+6
-3
lines changed

Diff for: core/docs/changelog.txt

+1
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
This file shows the changes in recent releases of MODX. The most current release is usually the
33
development release, and is only shown to give an idea of what's currently in the pipeline.
44

5+
- Prevent XSS on actionVar in header.tpl
56
- Fix caching of manager menus
67

78
MODX Revolution 2.2.10-pl (October 7, 2013)

Diff for: core/model/modx/modmanagerrequest.class.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,8 @@ function __construct(modX & $modx) {
5353
* @return boolean True if successful.
5454
*/
5555
public function initialize() {
56+
$this->sanitizeRequest();
57+
5658
if (!defined('MODX_INCLUDES_PATH')) {
5759
define('MODX_INCLUDES_PATH',$this->modx->getOption('manager_path').'includes/');
5860
}
@@ -117,7 +119,7 @@ public function handleRequest() {
117119
$this->modx->invokeEvent('OnHandleRequest');
118120

119121
/* save page to manager object. allow custom actionVar choice for extending classes. */
120-
$this->action = isset($_REQUEST[$this->actionVar]) ? $_REQUEST[$this->actionVar] : $this->defaultAction;
122+
$this->action = isset($_REQUEST[$this->actionVar]) ? (integer)$_REQUEST[$this->actionVar] : $this->defaultAction;
121123

122124
/* invoke OnManagerPageInit event */
123125
$this->modx->invokeEvent('OnManagerPageInit',array('action' => $this->action));

Diff for: manager/templates/default/header.tpl

+2-2
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,8 @@
2424
<script src="{$_config.manager_url}assets/ext3/ext-all.js" type="text/javascript"></script>
2525
{/if}
2626
<script src="{$_config.manager_url}assets/modext/core/modx.js" type="text/javascript"></script>
27-
<script src="{$_config.connectors_url}lang.js.php?ctx=mgr&topic=topmenu,file,resource,{$_lang_topics}&action={$smarty.get.a|strip_tags}" type="text/javascript"></script>
28-
<script src="{$_config.connectors_url}layout/modx.config.js.php?action={$smarty.get.a|strip_tags}{if $_ctx}&wctx={$_ctx}{/if}" type="text/javascript"></script>
27+
<script src="{$_config.connectors_url}lang.js.php?ctx=mgr&topic=topmenu,file,resource,{$_lang_topics}&action={$smarty.get.a|htmlspecialchars}" type="text/javascript"></script>
28+
<script src="{$_config.connectors_url}layout/modx.config.js.php?action={$smarty.get.a|htmlspecialchars}{if $_ctx}&wctx={$_ctx}{/if}" type="text/javascript"></script>
2929

3030
{if $_config.compress_js && $_config.compress_js_groups}
3131
<script src="{$_config.manager_url}min/index.php?g=coreJs1" type="text/javascript"></script>

0 commit comments

Comments
 (0)