Verified Commit 8a4203c6 authored by Côme Chilliet's avatar Côme Chilliet
Browse files

🚑 fix(errors) Fix HTML escaped errors leaking through webservice

issue #6061
parent e9d7be2d
......@@ -154,9 +154,9 @@ class sinapsDiffusionHandlerJob
$values['entite']['supannRefId'] = array_values(array_unique($values['entite']['supannRefId']));
$message = 'Entite updated';
}
$error = $this->fillObject('entite', $values, $dn);
if ($error !== TRUE) {
$this->sendAcquittementFonctionnel(sinapsRequest::acquittementFonctionnel(200, 13, strip_tags(implode(', ', $error))));
$errors = $this->fillObject('entite', $values, $dn);
if ($errors !== TRUE) {
$this->sendAcquittementFonctionnel(sinapsRequest::acquittementFonctionnel(200, 13, strip_tags(implode(', ', $errors))));
} else {
$this->sendAcquittementFonctionnel(sinapsRequest::acquittementFonctionnel(200, 0, $message, $idObjApp));
}
......@@ -196,9 +196,9 @@ class sinapsDiffusionHandlerJob
}
$dn = '';
}
$error = $this->fillObject('user', $values, $dn);
if ($error !== TRUE) {
$this->sendAcquittementFonctionnel(sinapsRequest::acquittementFonctionnel(200, 15, strip_tags(implode(', ', $error))));
$errors = $this->fillObject('user', $values, $dn);
if ($errors !== TRUE) {
$this->sendAcquittementFonctionnel(sinapsRequest::acquittementFonctionnel(200, 15, strip_tags(implode(', ', $errors))));
} else {
if ($values['lock']) {
/* $values['lock'] means this was a deletion, so we must not send an object identifier in the answer */
......@@ -267,7 +267,7 @@ class sinapsDiffusionHandlerJob
) {
list($disabled, , $text) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
if ($disabled) {
return $text;
return [$text];
}
$tabobject->by_object[$tab]->is_account = FALSE;
}
......@@ -278,7 +278,7 @@ class sinapsDiffusionHandlerJob
) {
list($disabled, , $text) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
if ($disabled) {
return $text;
return [$text];
}
$tabobject->by_object[$tab]->is_account = TRUE;
}
......
......@@ -385,9 +385,9 @@ class fdRestService extends fdRPCService
if ($tabobject->by_object[$tab]->isActivatable() &&
!$tabobject->by_object[$tab]->isActive()
) {
list($disabled, $buttonText, $text) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
list($disabled, $buttonHtmlText, $htmlText) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
if ($disabled) {
throw new WebServiceError($text);
throw new WebServiceError(htmlunescape($htmlText));
}
if ($tabobject->by_object[$tab]->acl_is_createable()) {
$tabobject->by_object[$tab]->is_account = TRUE;
......
......@@ -313,9 +313,9 @@ class fdRPCService
} elseif (!$tabobject->by_object[$tab]->acl_is_removeable()) {
throw new WebServiceError('You don\'t have sufficient rights to disable tab "'.$tab.'"', 403);
} else {
list($disabled, $buttonText, $text) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
list($disabled, $buttonHtmlText, $htmlText) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
if ($disabled) {
throw new WebServiceError($text);
throw new WebServiceError(htmlunescape($htmlText));
}
}
$_POST = [$tab.'_modify_state' => 1];
......@@ -472,9 +472,9 @@ class fdRPCService
$tabobject->by_object[$tab]->isActivatable() &&
!$tabobject->by_object[$tab]->isActive()
) {
list($disabled, $buttonText, $text) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
list($disabled, $buttonHtmlText, $htmlText) = $tabobject->by_object[$tab]->getDisplayHeaderInfos();
if ($disabled) {
throw new WebServiceError($text);
throw new WebServiceError(htmlunescape($htmlText));
}
if ($tabobject->by_object[$tab]->acl_is_createable()) {
$tabobject->by_object[$tab]->is_account = TRUE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment