Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
sec(MassEdit) XSS in idstring parameter
  • Loading branch information
joebordes committed Aug 21, 2022
1 parent 23915aa commit 8d80af2
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion include/utils/utils.php
Expand Up @@ -3584,7 +3584,7 @@ function getSelectedRecords($input, $module, $idstring, $excludedRecords) {
global $adb;

if ($idstring == 'relatedListSelectAll') {
$recordid = vtlib_purify($input['recordid']);
$recordid = filter_var($input['recordid'], FILTER_SANITIZE_NUMBER_INT);
if ($module == 'Accounts') {
$result = getCampaignAccountIds($recordid);
}
Expand Down Expand Up @@ -3620,6 +3620,12 @@ function getSelectedRecords($input, $module, $idstring, $excludedRecords) {
} else {
$storearray = explode(';', $idstring);
}
array_walk(
$storearray,
function (&$val, $key) {
$val = filter_var($val, FILTER_SANITIZE_NUMBER_INT);
}
);
} elseif ($idstring == 'all') {
$result = getSelectAllQuery($input, $module);
$storearray = array();
Expand All @@ -3633,6 +3639,12 @@ function getSelectedRecords($input, $module, $idstring, $excludedRecords) {
$storearray = array_diff($storearray, $excludedRecords);
} else {
$storearray = explode(';', $idstring);
array_walk(
$storearray,
function (&$val, $key) {
$val = filter_var($val, FILTER_SANITIZE_NUMBER_INT);
}
);
}

return $storearray;
Expand Down

0 comments on commit 8d80af2

Please sign in to comment.