From 22a6daab532914054338eec269c0ab7245d21737 Mon Sep 17 00:00:00 2001
From: noobpk <ltp.noobpk@gmail.com>
Date: Sat, 13 Nov 2021 21:47:20 +0700
Subject: [PATCH] Fix Multiple Stored XSS on featuers 'Milestones' ,
 'Research', 'Retrospective' Disclosure:
 https://huntr.dev/bounties/1cc6d108-3827-4b62-bcf2-24192af7057d/

---
 src/domain/leancanvas/templates/canvasDialog.tpl.php   | 2 +-
 src/domain/retrospectives/templates/showBoards.tpl.php | 6 +++---
 src/domain/tickets/js/ticketsController.js             | 6 +++++-
 src/domain/tickets/templates/milestoneDialog.tpl.php   | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/domain/leancanvas/templates/canvasDialog.tpl.php b/src/domain/leancanvas/templates/canvasDialog.tpl.php
index b6d7def46..572d003ae 100644
--- a/src/domain/leancanvas/templates/canvasDialog.tpl.php
+++ b/src/domain/leancanvas/templates/canvasDialog.tpl.php
@@ -19,7 +19,7 @@
 
 <div class="showDialogOnLoad" style="display:none;">
 
-    <h4 class="widgettitle title-light"><i class="iconfa iconfa-columns"></i> <?php echo $canvasTypes[$canvasItem['box']]; ?> <?php echo $canvasItem['description']; ?></h4>
+    <h4 class="widgettitle title-light"><i class="iconfa iconfa-columns"></i> <?php echo $canvasTypes[$canvasItem['box']]; ?> <?php $this->e($canvasItem['description']); ?></h4>
 
     <?php echo $this->displayNotification(); ?>
 
diff --git a/src/domain/retrospectives/templates/showBoards.tpl.php b/src/domain/retrospectives/templates/showBoards.tpl.php
index 59bb1607d..7438d3ba5 100644
--- a/src/domain/retrospectives/templates/showBoards.tpl.php
+++ b/src/domain/retrospectives/templates/showBoards.tpl.php
@@ -101,7 +101,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>
@@ -199,7 +199,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>
@@ -297,7 +297,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>
diff --git a/src/domain/tickets/js/ticketsController.js b/src/domain/tickets/js/ticketsController.js
index 6a2a6e0cc..1e3303847 100644
--- a/src/domain/tickets/js/ticketsController.js
+++ b/src/domain/tickets/js/ticketsController.js
@@ -78,6 +78,10 @@ leantime.ticketsController = (function () {
 
     var initGanttChart = function (tasks, viewMode) {
 
+        function htmlEntities(str) {
+            return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        };
+
         jQuery(document).ready(
             function () {
 
@@ -88,7 +92,7 @@ leantime.ticketsController = (function () {
                             // dates and progress value
                             var end_date = task._end.format(leantime.i18n.__("language.momentJSDate"));
                             return '<div class="details-container"> ' +
-                            '<h4><a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal">'+task.name+'</a></h4><br /> ' +
+                            '<h4><a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal">'+htmlEntities(task.name)+'</a></h4><br /> ' +
                             '<p>'+leantime.i18n.__("text.expected_to_finish_by")+' <strong>'+end_date+'</strong><br /> ' +
                             ''+Math.round(task.progress)+'%</p> ' +
                             '<a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal"><span class="fa fa-map"></span> '+leantime.i18n.__("links.edit_milestone") +'</a> | ' +
diff --git a/src/domain/tickets/templates/milestoneDialog.tpl.php b/src/domain/tickets/templates/milestoneDialog.tpl.php
index d5794a741..4c5fe8b00 100644
--- a/src/domain/tickets/templates/milestoneDialog.tpl.php
+++ b/src/domain/tickets/templates/milestoneDialog.tpl.php
@@ -26,7 +26,7 @@
     <form class="formModal" method="post" action="<?=BASE_URL ?>/tickets/editMilestone/<?php echo $currentMilestone->id ?>" style="min-width: 250px;">
 
         <label><?=$this->__("label.milestone_title"); ?></label>
-        <input type="text" name="headline" value="<?php echo $currentMilestone->headline?>" placeholder="<?=$this->__("label.milestone_title"); ?>"/><br />
+        <input type="text" name="headline" value="<?php $this->e($currentMilestone->headline) ?>" placeholder="<?=$this->__("label.milestone_title"); ?>"/><br />
 
         <label><?php echo $this->__('label.todo_status'); ?></label>
         <select id="status-select" name="status" class="span11"