Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bugfix: XSS (stored) in user widget settings
Reported by Peng Zhou @zpbrent
  • Loading branch information
GaryAllan committed Mar 6, 2023
1 parent 4f1fb98 commit 78e0470
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 10 deletions.
18 changes: 9 additions & 9 deletions app/dashboard/index.php
Expand Up @@ -118,8 +118,8 @@
$m=0; //to calculate chunk index

foreach($uwidgets as $uk=>$uv) {
//get fetails
$wdet = (array) $widgets[$uv];
//get details
$wdet = isset($widgets[$uv]) ? (array) $widgets[$uv] : ['wsize' => 6];
if(is_blank($wdet['wsize'])) { $wsize = 6; }
else { $wsize = $wdet['wsize']; }

Expand Down Expand Up @@ -148,18 +148,18 @@
foreach($uwidgetschunk as $w) {
# print itams in a row
foreach($w as $c) {

/* print items */
$wdet = (array) $widgets[$c];
if(array_key_exists($c, $widgets)) {
$wdet = (array) $widgets[$c];

//reset size if not set
if(is_blank($wdet['wsize'])) { $wdet['wsize'] = 6; }

print " <div class='col-xs-12 col-sm-12 col-md-12 col-lg-$wdet[wsize] widget-dash' id='w-$wdet[wfile]'>";
print " <div class='col-xs-12 col-sm-12 col-md-12 col-lg-".escape_input($wdet['wsize'])." widget-dash' id='w-".escape_input($wdet['wfile'])."'>";
print " <div class='inner'><i class='fa fa-times remove-widget icon-action fa-gray pull-right'></i>";
// href?
if($wdet['whref']=="yes") { print "<a href='".create_link("widgets",$wdet['wfile'])."'> <h4>"._($wdet['wtitle'])."<i class='fa fa-external-link fa-gray pull-right'></i></h4></a>"; }
else { print "<h4>"._($wdet['wtitle'])."</h4>"; }
if($wdet['whref']=="yes") { print "<a href='".create_link("widgets",$wdet['wfile'])."'> <h4>"._(escape_input($wdet['wtitle']))."<i class='fa fa-external-link fa-gray pull-right'></i></h4></a>"; }
else { print "<h4>"._(escape_input($wdet['wtitle']))."</h4>"; }
print " <div class='hContent'>";
print " <div style='text-align:center;padding-top:50px;'><strong>"._('Loading widget')."</strong><br><i class='fa fa-spinner fa-spin'></i></div>";
print " </div>";
Expand All @@ -169,9 +169,9 @@
}
# invalid widget
else {
print " <div class='col-xs-12 col-sm-12 col-md-12 col-lg-6' id='w-$c'>";
print " <div class='col-xs-12 col-sm-12 col-md-12 col-lg-6' id='w-".escape_input($c)."'>";
print " <div class='inner'>";
print " <blockquote style='margin-top:20px;margin-left:20px;'><p>Invalid widget $c</p></blockquote>";
print " <blockquote style='margin-top:20px;margin-left:20px;'><p>Invalid widget ".escape_input($c)."</p></blockquote>";
print " </div>";
print " </div>";
}
Expand Down
2 changes: 1 addition & 1 deletion functions/classes/class.Common.php
Expand Up @@ -674,7 +674,7 @@ public function noxss_html($html) {
if ($dom->loadHTML("<html>".$html."</html>", LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD | LIBXML_NOBLANKS | LIBXML_NOWARNING | LIBXML_NOERROR) === false)
return "";

$banned_elements = ['script', 'iframe', 'embed'];
$banned_elements = ['script', 'iframe', 'embed', 'object'];
$remove_elements = [];

$elements = $dom->getElementsByTagName('*');
Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
Expand Up @@ -12,6 +12,7 @@
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
+ XSS (stored) in user widget settings;
+ XSS and LDAP injection in ad-search-result.php;
+ XSS and LDAP injection in ad-search-group-result.php;
+ Restrict find_full_subnets.php to CLI;
Expand Down

0 comments on commit 78e0470

Please sign in to comment.