Skip to content

Commit

Permalink
Fix ACP Template Name XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@dvz
dvz committed Oct 26, 2021
1 parent 76e1e9a commit 0d60d98
Showing 1 changed file with 13 additions and 13 deletions.
26 changes: 13 additions & 13 deletions admin/modules/style/templates.php
View file
Expand Up @@ -695,7 +695,7 @@

$sub_tabs['diff_report'] = array(
'title' => $lang->diff_report,
'link' => "index.php?module=style-templates&action=diff_report&title=".$db->escape_string($template['title'])."&sid1=".(int)$template['sid']."&sid2=-2",
'link' => "index.php?module=style-templates&action=diff_report&title=".urlencode($template['title'])."&sid1=".(int)$template['sid']."&sid2=-2",
);
}

Expand Down Expand Up @@ -1008,7 +1008,7 @@
}
}

$table->construct_cell($label, array("width" => "85%"));
$table->construct_cell(htmlspecialchars_uni($label), array("width" => "85%"));

if($sid == -2)
{
Expand Down Expand Up @@ -1135,7 +1135,7 @@

foreach($templates as $template)
{
$template['pretty_title'] = $template['title'];
$template['pretty_title'] = htmlspecialchars_uni($template['title']);

$popup = new PopupMenu("template_{$template['tid']}", $lang->options);

Expand All @@ -1162,14 +1162,14 @@
$popup->add_item($lang->revert_to_orig, "index.php?module=style-templates&action=revert&title=".urlencode($template['title'])."&sid={$sid}&my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_revertion}')");
}

$template['pretty_title'] = "<span style=\"color: green;\">{$template['title']}</span>";
$template['pretty_title'] = "<span style=\"color: green;\">".htmlspecialchars_uni($template['title'])."</span>";
}
// This template does not exist in the master list
else if(!isset($template['original']) || $template['original'] == false)
{
$popup->add_item($lang->delete_template, "index.php?module=style-templates&amp;action=delete_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_deletion}')");

$template['pretty_title'] = "<span style=\"color: blue;\">{$template['title']}</span>";
$template['pretty_title'] = "<span style=\"color: blue;\">".htmlspecialchars_uni($template['title'])."</span>";
}

$table->construct_cell("<span style=\"padding: 20px;\">{$template['pretty_title']}</span>", array("width" => "85%"));
Expand Down Expand Up @@ -1366,7 +1366,7 @@
$popup->add_item($lang->diff_report, "index.php?module=style-templates&amp;action=diff_report&amp;title=".urlencode($template['title'])."&amp;sid1=".$template['sid']."&amp;sid2=-2&amp;from=diff_report");
$popup->add_item($lang->revert_to_orig, "index.php?module=style-templates&amp;action=revert&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;from=diff_report&amp;my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_revertion}')");

$table->construct_cell("<a href=\"index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;from=diff_report\">{$template['title']}</a>", array('width' => '80%'));
$table->construct_cell("<a href=\"index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;from=diff_report\">".htmlspecialchars_uni($template['title'])."</a>", array('width' => '80%'));
$table->construct_cell($popup->fetch(), array("class" => "align_center"));

$table->construct_row();
Expand Down Expand Up @@ -1557,7 +1557,7 @@

$sub_tabs['diff_report'] = array(
'title' => $lang->diff_report,
'link' => "index.php?module=style-templates&amp;action=diff_report&amp;title=".$db->escape_string($mybb->input['title'])."&amp;from=".htmlspecialchars_uni($mybb->input['from'])."sid1=".$mybb->get_input('sid1', MyBB::INPUT_INT)."&amp;sid2=".$mybb->get_input('sid2', MyBB::INPUT_INT),
'link' => "index.php?module=style-templates&amp;action=diff_report&amp;title=".urlencode($mybb->input['title'])."&amp;from=".htmlspecialchars_uni($mybb->input['from'])."sid1=".$mybb->get_input('sid1', MyBB::INPUT_INT)."&amp;sid2=".$mybb->get_input('sid2', MyBB::INPUT_INT),
'description' => $lang->diff_report_desc
);

Expand Down Expand Up @@ -1605,7 +1605,7 @@
$page->add_breadcrumb_item($lang->find_updated, "index.php?module=style-templates&amp;action=find_updated");
}

$page->add_breadcrumb_item($lang->diff_report.": ".htmlspecialchars_uni($template1['title']), "index.php?module=style-templates&amp;action=diff_report&amp;title=".$db->escape_string($mybb->input['title'])."&amp;from=".htmlspecialchars_uni($mybb->input['from'])."&amp;sid1=".$mybb->get_input('sid1', MyBB::INPUT_INT)."&amp;sid2=".$mybb->get_input('sid2', MyBB::INPUT_INT));
$page->add_breadcrumb_item($lang->diff_report.": ".htmlspecialchars_uni($template1['title']), "index.php?module=style-templates&amp;action=diff_report&amp;title=".urlencode($mybb->input['title'])."&amp;from=".htmlspecialchars_uni($mybb->input['from'])."&amp;sid1=".$mybb->get_input('sid1', MyBB::INPUT_INT)."&amp;sid2=".$mybb->get_input('sid2', MyBB::INPUT_INT));

$page->output_header($lang->template_sets);

Expand All @@ -1625,7 +1625,7 @@
$table->construct_cell("<pre class=\"differential\">".$renderer->render($diff)."</pre>");
$table->construct_row();

$table->output($lang->template_diff_analysis.": ".$template1['title']);
$table->output($lang->template_diff_analysis.": ".htmlspecialchars_uni($template1['title']));

$page->output_footer();
}
Expand Down Expand Up @@ -1713,7 +1713,7 @@
$popup->add_item($lang->full_edit, "index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid=-1");
$popup->add_item($lang->delete_template, "index.php?module=style-templates&amp;action=delete_template&amp;title=".urlencode($template['title'])."&amp;sid=-1&amp;my_post_key={$mybb->post_code}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_deletion}')");

$table->construct_cell("<a href=\"index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid=-1\">{$template['title']}</a>");
$table->construct_cell("<a href=\"index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid=-1\">".htmlspecialchars_uni($template['title'])."</a>");
$table->construct_cell($popup->fetch(), array("class" => "align_center"));

$table->construct_row();
Expand Down Expand Up @@ -1894,7 +1894,7 @@ function sort_template_groups($a, $b)

foreach($templates as $template)
{
$template['pretty_title'] = $template['title'];
$template['pretty_title'] = htmlspecialchars_uni($template['title']);

$popup = new PopupMenu("template_{$template['tid']}", $lang->options);
$popup->add_item($lang->full_edit, "index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}{$expand_str}");
Expand All @@ -1908,14 +1908,14 @@ function sort_template_groups($a, $b)
$popup->add_item($lang->revert_to_orig, "index.php?module=style-templates&amp;action=revert&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;my_post_key={$mybb->post_code}{$expand_str}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_revertion}')");
}

$template['pretty_title'] = "<span style=\"color: green;\">{$template['title']}</span>";
$template['pretty_title'] = "<span style=\"color: green;\">".htmlspecialchars_uni($template['title'])."</span>";
}
// This template does not exist in the master list
else if(isset($template['original']) && $template['original'] == false)
{
$popup->add_item($lang->delete_template, "index.php?module=style-templates&amp;action=delete_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}&amp;my_post_key={$mybb->post_code}{$expand_str}", "return AdminCP.deleteConfirmation(this, '{$lang->confirm_template_deletion}')");

$template['pretty_title'] = "<span style=\"color: blue;\">{$template['title']}</span>";
$template['pretty_title'] = "<span style=\"color: blue;\">".htmlspecialchars_uni($template['title'])."</span>";
}

$table->construct_cell("<span style=\"padding-left: 20px;\"><a href=\"index.php?module=style-templates&amp;action=edit_template&amp;title=".urlencode($template['title'])."&amp;sid={$sid}{$expand_str}\" >{$template['pretty_title']}</a></span>");
Expand Down

0 comments on commit 0d60d98

Please sign in to comment.