From 77d75aff05058f53d0200db210bdc529393f7de9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@fusiondirectory.org>
Date: Thu, 11 Jun 2020 10:53:43 +0200
Subject: [PATCH] :ambulance: fix(core) Fix more escaping issues
issue #6071
---
ihtml/themes/breezy/islocked.tpl | 6 +++---
ihtml/themes/breezy/login.tpl | 2 +-
ihtml/themes/breezy/recovery.tpl | 6 +++---
ihtml/themes/breezy/restore-confirm.tpl | 4 ++--
ihtml/themes/breezy/simple-remove.tpl | 4 ++--
ihtml/themes/breezy/simpleplugin.tpl | 6 +++---
ihtml/themes/breezy/simpleplugin_section.tpl | 2 +-
include/simpleplugin/class_simpleTabs.inc | 2 +-
plugins/addons/dashboard/groups_stats.tpl | 2 +-
plugins/addons/dashboard/main_stats.tpl | 4 ++--
plugins/addons/dashboard/pwd_stats.tpl | 2 +-
plugins/addons/dashboard/users_accounts.tpl | 22 ++++++++++----------
plugins/addons/dashboard/users_stats.tpl | 2 +-
plugins/admin/groups/tabs_ogroups.inc | 5 -----
plugins/generic/references/contents.tpl | 2 +-
15 files changed, 33 insertions(+), 38 deletions(-)
diff --git a/ihtml/themes/breezy/islocked.tpl b/ihtml/themes/breezy/islocked.tpl
index 1d6cbbc0e..1f5544c9d 100644
--- a/ihtml/themes/breezy/islocked.tpl
+++ b/ihtml/themes/breezy/islocked.tpl
@@ -6,7 +6,7 @@
</div>
<div>
<p>
- <b>{t}Warning{/t}:</b> {$message}
+ <b>{t}Warning{/t}:</b> {$message|escape}
<ul>
{foreach from=$locks item=lock}
<li>{t 1=$lock.object 2=$lock.user 3=$lock.timestamp|date_format:"%Y-%m-%d, %H:%M:%S"}"%1" has been locked by "%2" since %3{/t}</li>
@@ -18,7 +18,7 @@
</p>
<p class="plugbottom">
- <input type="submit" name="delete_lock" value="{$action}"/>
+ <input type="submit" name="delete_lock" value="{$action|escape}"/>
{if $allow_readonly}
<input type="submit" name="open_readonly" value="{t}Read only{/t}"/>
@@ -27,7 +27,7 @@
<input type="submit" formnovalidate="formnovalidate" name="cancel_lock" value="{t}Cancel{/t}"/>
</p>
- <input type="hidden" name="dn" value="{$dn}"/>
+ <input type="hidden" name="dn" value="{$dn|escape}"/>
</div>
</div>
diff --git a/ihtml/themes/breezy/login.tpl b/ihtml/themes/breezy/login.tpl
index 25f4d9cf7..3b39193d2 100644
--- a/ihtml/themes/breezy/login.tpl
+++ b/ihtml/themes/breezy/login.tpl
@@ -79,7 +79,7 @@
<script type="text/javascript">
<!--
enable_keyPress = false;
- focus_field("{$focusfield}");
+ focus_field("{$focusfield|escape}");
next_msg_dialog();
-->
</script>
diff --git a/ihtml/themes/breezy/recovery.tpl b/ihtml/themes/breezy/recovery.tpl
index 5d5642498..6e29c287f 100644
--- a/ihtml/themes/breezy/recovery.tpl
+++ b/ihtml/themes/breezy/recovery.tpl
@@ -23,7 +23,7 @@
<span class="warning"> {$ssl} </span>
<!-- Display error message on demand -->
- <span class="warning"> {$message} </span>
+ <span class="warning"> {$message|escape} </span>
{if $step==3}
<p class="infotext">
@@ -93,7 +93,7 @@
<label for="email_address">
<img class="center" src="geticon.php?context=applications&icon=internet-mail&size=48" alt="{t}Email address{/t}" title="{t}Email address{/t}" />
</label>
- <input type="text" name="email_address" id="email_address" value="{$email_address}" title="{t}Email{/t}" onFocus=""/>
+ <input type="text" name="email_address" id="email_address" value="{$email_address|escape}" title="{t}Email{/t}" onFocus=""/>
</div>
{if $show_directory_chooser}
<div>
@@ -117,7 +117,7 @@
{/if}
{else}
<!-- Display error message on demand -->
- <p class="warning"> {$message} </p>
+ <p class="warning"> {$message|escape} </p>
<p>{t}Password recovery is not activated. If you have lost your password, please contact your administrator{/t}</p>
</div>
</div>
diff --git a/ihtml/themes/breezy/restore-confirm.tpl b/ihtml/themes/breezy/restore-confirm.tpl
index 17df7ff41..e318892ac 100644
--- a/ihtml/themes/breezy/restore-confirm.tpl
+++ b/ihtml/themes/breezy/restore-confirm.tpl
@@ -8,8 +8,8 @@
<p>
<ul>
{foreach from=$objects item=object}
- <li style="list-style-image:url('{$object.icon}');" title="{$object.type}">
- {$object.name} (<i>{$object.dn}</i>)
+ <li style="list-style-image:url('{$object.icon|escape}');" title="{$object.type|escape}">
+ {$object.name|escape} (<i>{$object.dn|escape}</i>)
</li>
{/foreach}
</ul>
diff --git a/ihtml/themes/breezy/simple-remove.tpl b/ihtml/themes/breezy/simple-remove.tpl
index 2f40e8362..683331310 100644
--- a/ihtml/themes/breezy/simple-remove.tpl
+++ b/ihtml/themes/breezy/simple-remove.tpl
@@ -8,8 +8,8 @@
<p>
<ul>
{foreach from=$objects item=object}
- <li style="list-style-image:url('{$object.icon}');" title="{$object.type}">
- {$object.name} (<i>{$object.dn}</i>)
+ <li style="list-style-image:url('{$object.icon|escape}');" title="{$object.type|escape}">
+ {$object.name|escape} (<i>{$object.dn|escape}</i>)
</li>
{/foreach}
</ul>
diff --git a/ihtml/themes/breezy/simpleplugin.tpl b/ihtml/themes/breezy/simpleplugin.tpl
index c51a181b3..f5eeedaa2 100644
--- a/ihtml/themes/breezy/simpleplugin.tpl
+++ b/ihtml/themes/breezy/simpleplugin.tpl
@@ -6,17 +6,17 @@
{if is_array($hiddenPostedInput)}
{foreach from=$hiddenPostedInput item=hiddenPostedInput_item}
- <input name="{$hiddenPostedInput_item}" value="1" type="hidden"/>
+ <input name="{$hiddenPostedInput_item|escape}" value="1" type="hidden"/>
{/foreach}
{else}
- <input name="{$hiddenPostedInput}" value="1" type="hidden"/>
+ <input name="{$hiddenPostedInput|escape}" value="1" type="hidden"/>
{/if}
{if isset($focusedField)}
<!-- Place cursor -->
<script type="text/javascript">
<!-- // First input field on page
- focus_field('{$focusedField}');
+ focus_field('{$focusedField|escape}');
-->
</script>
{/if}
diff --git a/ihtml/themes/breezy/simpleplugin_section.tpl b/ihtml/themes/breezy/simpleplugin_section.tpl
index 4909f228e..03834100b 100644
--- a/ihtml/themes/breezy/simpleplugin_section.tpl
+++ b/ihtml/themes/breezy/simpleplugin_section.tpl
@@ -1,5 +1,5 @@
<fieldset id="{$sectionId}" class="plugin-section{$sectionClasses}">
- <legend><span>{$section}</span></legend>
+ <legend><span>{$section|escape}</span></legend>
<div>
<table>
{foreach from=$attributes item=attribute key=id}
diff --git a/include/simpleplugin/class_simpleTabs.inc b/include/simpleplugin/class_simpleTabs.inc
index 83e88d905..cae6e7148 100644
--- a/include/simpleplugin/class_simpleTabs.inc
+++ b/include/simpleplugin/class_simpleTabs.inc
@@ -309,7 +309,7 @@ class simpleTabs
'onclick="return true;" '.
'href="'."javascript:document.mainform.arg.value='$class';document.mainform.submit();".'">';
}
- $display .= $title.'</a></div></td>';
+ $display .= htmlescape($title).'</a></div></td>';
}
$display .= "<td>\n";
diff --git a/plugins/addons/dashboard/groups_stats.tpl b/plugins/addons/dashboard/groups_stats.tpl
index 2955b1f45..f4afd8442 100644
--- a/plugins/addons/dashboard/groups_stats.tpl
+++ b/plugins/addons/dashboard/groups_stats.tpl
@@ -1,6 +1,6 @@
<div id="{$sectionId}" class="plugin-section">
<span class="legend">
- {$section}
+ {$section|escape}
</span>
<div>
<img src="{$attributes.groups_stats.img|escape}" alt="group icon"/>
diff --git a/plugins/addons/dashboard/main_stats.tpl b/plugins/addons/dashboard/main_stats.tpl
index 336f09534..27ab1e8e9 100644
--- a/plugins/addons/dashboard/main_stats.tpl
+++ b/plugins/addons/dashboard/main_stats.tpl
@@ -7,9 +7,9 @@
{foreach from=$attributes.stats item=stat}
<li>
{if isset($stat.href)}
- <a href="{$stat.href}"><img style="vertical-align:middle;" src="{$stat.img|escape}" alt=""/> {$stat.name} : {$stat.nb}</a>
+ <a href="{$stat.href}"><img style="vertical-align:middle;" src="{$stat.img|escape}" alt=""/> {$stat.name|escape} : {$stat.nb|escape}</a>
{else}
- <img style="vertical-align:middle;" src="{$stat.img|escape}" alt=""/> {$stat.name} : {$stat.nb}
+ <img style="vertical-align:middle;" src="{$stat.img|escape}" alt=""/> {$stat.name|escape} : {$stat.nb|escape}
{/if}
</li>
{/foreach}
diff --git a/plugins/addons/dashboard/pwd_stats.tpl b/plugins/addons/dashboard/pwd_stats.tpl
index fa830389d..a5bc5e843 100644
--- a/plugins/addons/dashboard/pwd_stats.tpl
+++ b/plugins/addons/dashboard/pwd_stats.tpl
@@ -1,6 +1,6 @@
<div id="{$sectionId}" class="plugin-section">
<span class="legend">
- {$section}
+ {$section|escape}
</span>
<div>
<img src="{$attributes.pwds_stats.img|escape}" alt="user icon"/>
diff --git a/plugins/addons/dashboard/users_accounts.tpl b/plugins/addons/dashboard/users_accounts.tpl
index 5ae33ace3..8c9463be8 100644
--- a/plugins/addons/dashboard/users_accounts.tpl
+++ b/plugins/addons/dashboard/users_accounts.tpl
@@ -1,6 +1,6 @@
<div id="{$sectionId}" class="plugin-section fullwidth">
<span class="legend">
- {$section}
+ {$section|escape}
</span>
<div>
<h1>
@@ -25,10 +25,10 @@
<tr>
{foreach from=$attributes.expired.columns.user item=colname}
- <th>{$colname}</th>
+ <th>{$colname|escape}</th>
{/foreach}
{foreach from=$attributes.expired.columns.manager item=colname}
- <th>{$colname}</th>
+ <th>{$colname|escape}</th>
{/foreach}
</tr>
</thead>
@@ -36,13 +36,13 @@
{foreach from=$attributes.expired.accounts item=account}
<tr>
{foreach from=$attributes.expired.columns.user key=colkey item=colname}
- <td>{$account.$colkey} </td>
+ <td>{$account.$colkey|escape} </td>
{/foreach}
{foreach from=$attributes.expired.columns.manager key=colkey item=colname}
{if $colkey==manager_mail}
- <td><a href="mailto:{$account.$colkey}">{$account.$colkey}</a></td>
+ <td><a href="mailto:{$account.$colkey|escape}">{$account.$colkey|escape}</a></td>
{else}
- <td>{$account.$colkey} </td>
+ <td>{$account.$colkey|escape} </td>
{/if}
{/foreach}
</tr>
@@ -73,10 +73,10 @@
<tr>
{foreach from=$attributes.expired.columns.user item=colname}
- <th>{$colname}</th>
+ <th>{$colname|escape}</th>
{/foreach}
{foreach from=$attributes.expired.columns.manager item=colname}
- <th>{$colname}</th>
+ <th>{$colname|escape}</th>
{/foreach}
</tr>
</thead>
@@ -84,13 +84,13 @@
{foreach from=$attributes.expired.accounts_next_days item=account}
<tr>
{foreach from=$attributes.expired.columns.user key=colkey item=colname}
- <td> {$account.$colkey}</td>
+ <td> {$account.$colkey|escape}</td>
{/foreach}
{foreach from=$attributes.expired.columns.manager key=colkey item=colname}
{if $colkey==manager_mail}
- <td><a href="mailto:{$account.$colkey}">{$account.$colkey}</a></td>
+ <td><a href="mailto:{$account.$colkey|escape}">{$account.$colkey|escape}</a></td>
{else}
- <td> {$account.$colkey}</td>
+ <td> {$account.$colkey|escape}</td>
{/if}
{/foreach}
</tr>
diff --git a/plugins/addons/dashboard/users_stats.tpl b/plugins/addons/dashboard/users_stats.tpl
index f86c17fd1..3577f84a8 100644
--- a/plugins/addons/dashboard/users_stats.tpl
+++ b/plugins/addons/dashboard/users_stats.tpl
@@ -1,6 +1,6 @@
<div id="{$sectionId}" class="plugin-section">
<span class="legend">
- {$section}
+ {$section|escape}
</span>
<div>
<img src="{$attributes.users_stats.img|escape}" alt="user icon"/>
diff --git a/plugins/admin/groups/tabs_ogroups.inc b/plugins/admin/groups/tabs_ogroups.inc
index e5d97491e..8dc6d4fd1 100644
--- a/plugins/admin/groups/tabs_ogroups.inc
+++ b/plugins/admin/groups/tabs_ogroups.inc
@@ -172,11 +172,6 @@ class ogrouptabs extends simpleTabs_noSpecial
}
}
- function check ($ignore_account = FALSE)
- {
- return parent::check(FALSE);
- }
-
function save ()
{
$errors = parent::save();
diff --git a/plugins/generic/references/contents.tpl b/plugins/generic/references/contents.tpl
index c4fec404d..0a4234c79 100644
--- a/plugins/generic/references/contents.tpl
+++ b/plugins/generic/references/contents.tpl
@@ -1,6 +1,6 @@
<div id="{$sectionId}" class="plugin-section{$sectionClasses}">
<span class="legend">
- {$section}
+ {$section|escape}
</span>
<div>
{if $attributes.refs}
--
GitLab