Skip to content

Commit b3e7527

Browse files
committed
Solucionado bug XSS al colocar javascript como título en un page_option.
1 parent c547622 commit b3e7527

File tree

2 files changed

+19
-26
lines changed

2 files changed

+19
-26
lines changed

Diff for: Core/Controller/EditPageOption.php

+16-23
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
<?php
22
/**
33
* This file is part of FacturaScripts
4-
* Copyright (C) 2017-2020 Carlos Garcia Gomez <carlos@facturascripts.com>
4+
* Copyright (C) 2017-2022 Carlos Garcia Gomez <carlos@facturascripts.com>
55
*
66
* This program is free software: you can redistribute it and/or modify
77
* it under the terms of the GNU Lesser General Public License as
@@ -16,6 +16,7 @@
1616
* You should have received a copy of the GNU Lesser General Public License
1717
* along with this program. If not, see <http://www.gnu.org/licenses/>.
1818
*/
19+
1920
namespace FacturaScripts\Core\Controller;
2021

2122
use FacturaScripts\Core\Base\Controller;
@@ -45,13 +46,11 @@ class EditPageOption extends Controller
4546
public $backPage;
4647

4748
/**
48-
*
4949
* @var array
5050
*/
5151
public $columns = [];
5252

5353
/**
54-
*
5554
* @var array
5655
*/
5756
public $modals = [];
@@ -64,7 +63,6 @@ class EditPageOption extends Controller
6463
public $model;
6564

6665
/**
67-
*
6866
* @var array
6967
*/
7068
public $rows = [];
@@ -83,12 +81,7 @@ class EditPageOption extends Controller
8381
*/
8482
public $selectedViewName;
8583

86-
/**
87-
* Returns basic page attributes
88-
*
89-
* @return array
90-
*/
91-
public function getPageData()
84+
public function getPageData(): array
9285
{
9386
$data = parent::getPageData();
9487
$data['menu'] = 'admin';
@@ -103,7 +96,7 @@ public function getPageData()
10396
*
10497
* @return array
10598
*/
106-
public function getUserList()
99+
public function getUserList(): array
107100
{
108101
$result = [];
109102
$users = CodeModel::all(User::tableName(), 'nick', 'nick', false);
@@ -119,8 +112,8 @@ public function getUserList()
119112
/**
120113
* Runs the controller's private logic.
121114
*
122-
* @param Response $response
123-
* @param User $user
115+
* @param Response $response
116+
* @param User $user
124117
* @param ControllerPermissions $permissions
125118
*/
126119
public function privateCore(&$response, $user, $permissions)
@@ -184,12 +177,12 @@ protected function loadPageOptions()
184177
protected function loadSelectedViewName()
185178
{
186179
$code = $this->request->get('code', '');
187-
if (false === \strpos($code, '-')) {
180+
if (false === strpos($code, '-')) {
188181
$this->selectedViewName = $code;
189182
return;
190183
}
191184

192-
$parts = \explode('-', $code);
185+
$parts = explode('-', $code);
193186
$this->selectedViewName = empty($parts) ? $code : $parts[0];
194187
}
195188

@@ -266,11 +259,12 @@ private function loadPageOptionsForUser(): bool
266259
new DataBaseWhere('nick', $this->selectedUser),
267260
];
268261
if ($this->model->loadFromCode('', $where)) {
269-
return true; // Existen opciones para el usuario.
262+
// Existen opciones para el usuario.
263+
return true;
270264
}
271265

272-
if (false == $this->loadPageOptionsForAll()) {
273-
// No existe opciones general. Asignamos las opciones por defecto de la vista xml al usuario.
266+
if (false === $this->loadPageOptionsForAll()) {
267+
// No existe opciones generales. Asignamos las opciones por defecto de la vista xml al usuario.
274268
$this->model->nick = $this->selectedUser;
275269
return false;
276270
}
@@ -282,16 +276,15 @@ private function loadPageOptionsForUser(): bool
282276
}
283277

284278
/**
285-
*
286-
* @param array $column
279+
* @param array $column
287280
* @param string $name
288281
* @param string $key
289-
* @param bool $isWidget
290-
* @param bool $allowEmpty
282+
* @param bool $isWidget
283+
* @param bool $allowEmpty
291284
*/
292285
private function setColumnOption(&$column, string $name, string $key, bool $isWidget, bool $allowEmpty)
293286
{
294-
$newValue = $this->request->request->get($name . '-' . $key);
287+
$newValue = self::toolBox()::utils()::noHtml($this->request->request->get($name . '-' . $key));
295288
if ($isWidget) {
296289
if (!empty($newValue) || $allowEmpty) {
297290
$column['children'][0][$key] = $newValue;

Diff for: Core/Translation/gl_ES.json

+3-3
Original file line numberDiff line numberDiff line change
@@ -356,7 +356,7 @@
356356
"desc-provicer-business-name-2": "Descrición nome de empresa de provedor 2",
357357
"desc-provider-business-name": "Descrición nome de empresa de provedor",
358358
"desc-provider-name": "Descrición nome de provedor",
359-
"desc-rate-code": "Código para uso interno da tarifa.",
359+
"desc-rate-code": "Código para uso interno da taxa.",
360360
"desc-vat-document": "Identificador do documento onde se aplica o imposto",
361361
"description": "Descrición",
362362
"description-1": "Descrición 1",
@@ -971,8 +971,8 @@
971971
"quantity-served": "cantidade servida",
972972
"quantity-sold": "Cant. vendida",
973973
"randomizer-generating-more-items": "Xerando máis elementos...",
974-
"rate": "Tarifa",
975-
"rates": "Tarifas",
974+
"rate": "Taxa",
975+
"rates": "Taxas",
976976
"re": "RE",
977977
"re-open": "Reabrir",
978978
"read-more": "Ler máis",

0 commit comments

Comments
 (0)