2.1.26

Fix for #1257 Fix for XSS in edit dialogbox
nilsteampassnet · May 17, 2016 · 8a26d9c · 8a26d9c
1 parent 4386d9d
commit 8a26d9c
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 10 deletions.
diff --git a/install/install.queries.php b/install/install.queries.php
@@ -246,7 +246,7 @@ function chmod_r($dir, $dirPermissions, $filePermissions) {
                             `email` varchar(100) DEFAULT NULL,
                             `notification` varchar(250) DEFAULT NULL,
                             `viewed_no` int(12) NOT null DEFAULT '0',
-                            `complexity_level` varchar(2) NOT null DEFAULT '-1',
+                            `complexity_level` varchar(3) NOT null DEFAULT '-1',
                             `auto_update_pwd_frequency` tinyint(2) NOT null DEFAULT '0',
                             `auto_update_pwd_next_date` int(15) DEFAULT NULL,
                             PRIMARY KEY (`id`),

diff --git a/install/upgrade_run_2.1.26.php b/install/upgrade_run_2.1.26.php
@@ -143,5 +143,7 @@ function tableExists($tablename, $database = false)
 	exit();
 }
 
+// alter table Items
+mysqli_query($dbTmp, "ALTER TABLE `".$_SESSION['tbl_prefix']."items` MODIFY complexity_level VARCHAR(3)");
 
 echo '[{"finish":"1" , "next":"", "error":""}]';
diff --git a/items.load.php b/items.load.php
@@ -902,7 +902,7 @@ function(data) {
                         $("#id_label").text($('#edit_label').val());
                         //$("#id_pw").text($('#edit_pw1').val());
                         $("#id_email").html($('#edit_email').val());
-                        $("#id_url").html($('#edit_url').val());
+                        $("#id_url").html($('#edit_url').val().escapeHTML());
                         $("#id_desc").html(description);
                         $("#id_login").html($('#edit_item_login').val());
                         $("#id_restricted_to").html(data.list_of_restricted);
@@ -916,7 +916,7 @@ function(data) {
                         $("#hid_label").val($('#edit_label').val());
                         $("#hid_pw").val($('#edit_pw1').val());
                         $("#hid_email").val($('#edit_email').val());
-                        $("#hid_url").val($('#edit_url').val());
+                        $("#hid_url").val($('#edit_url').val().escapeHTML());
                         $("#hid_desc").val(description);
                         $("#hid_login").val($('#edit_item_login').val());
                         $("#hid_restricted_to").val(restriction);
@@ -2124,7 +2124,7 @@ function(data) {
                     if (data[0].duplicate != "1") {
                         $("#div_formulaire_saisi ~ .ui-dialog-buttonpane").find("button:contains('<?php echo $LANG['save_button'];?>')").button("enable");
                         // display title
-                        $("#"+textFieldId).html(itemTitle);
+                        $("#"+textFieldId).html(itemTitle.escapeHTML());
                     } else {
                         $("#label").focus();
                         $("#new_show_error").html("<?php echo $LANG['duplicate_title_in_same_folder'];?>").show();
@@ -2133,7 +2133,7 @@ function(data) {
             );
         } else {
             // display title
-            $("#"+textFieldId).html(itemTitle);
+            $("#"+textFieldId).html(itemTitle.escapeHTML());
         }
     }
 }
@@ -3858,4 +3858,14 @@ function serverAutoChangePwd()
     });
 }
 
+
+// escape HTML characters
+String.prototype.escapeHTML = function() {
+    return this.replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+}
+
 </script>
diff --git a/sources/items.queries.php b/sources/items.queries.php
@@ -384,11 +384,12 @@
 
             if (count($dataReceived) > 0) {
                 // Prepare variables
-                $label = htmlspecialchars_decode($dataReceived['label']);
-                $url = htmlspecialchars_decode($dataReceived['url']);
+                $label = noHTML(htmlspecialchars_decode($dataReceived['label']));
+                $url = noHTML(htmlspecialchars_decode($dataReceived['url']));
                 $pw = $original_pw = $sentPw = htmlspecialchars_decode($dataReceived['pw']);
-                $login = htmlspecialchars_decode($dataReceived['login']);
+                $login = noHTML(htmlspecialchars_decode($dataReceived['login']));
                 $tags = htmlspecialchars_decode($dataReceived['tags']);
+                $email = noHTML(htmlspecialchars_decode($dataReceived['email']));
                 // Get all informations for this item
                 $dataItem = DB::queryfirstrow(
                     "SELECT *
@@ -486,7 +487,7 @@
                             'description' => $dataReceived['description'],
                             'pw' => $passwd['string'],
                             'pw_iv' => $passwd['iv'],
-                            'email' => $dataReceived['email'],
+                            'email' => $email,
                             'login' => $login,
                             'url' => $url,
                             'id_tree' => (!isset($dataReceived['categorie']) || $dataReceived['categorie'] == "undefined") ? $dataItem['id_tree'] : $dataReceived['categorie'],

diff --git a/sources/main.functions.php b/sources/main.functions.php
@@ -1312,5 +1312,5 @@ function get_client_ip_server() {
  */
 function noHTML($input, $encoding = 'UTF-8')
 {
-    return htmlentities($input, ENT_QUOTES | ENT_HTML5, $encoding);
+    return htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, $encoding);
 }