Skip to content

Commit

Permalink
Issue #1308: Fix possible js injection in dynamic field error messages.
Browse files Browse the repository at this point in the history 
* WIP Execute Translate and html via Template

* Using another jQuery function to extract text

* Improved data handling

* Improved data handling in previously forgotten files
  • Loading branch information
@stefanhaerter
stefanhaerter committed Oct 8, 2021
1 parent b323248 commit 741a845
Show file tree
Hide file tree
Showing 11 changed files with 61 additions and 20 deletions.
7 changes: 6 additions & 1 deletion Kernel/System/DynamicField/Driver/BaseDatabase.pm
View file
Expand Up @@ -360,7 +360,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

my $FieldRequiredMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/BaseDateTime.pm
View file
Expand Up @@ -285,8 +285,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'UsedServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/BaseSelect.pm
View file
Expand Up @@ -267,8 +267,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/BaseText.pm
View file
Expand Up @@ -252,8 +252,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/Checkbox.pm
View file
Expand Up @@ -342,8 +342,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/ContactWD.pm
View file
Expand Up @@ -262,8 +262,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/Date.pm
View file
Expand Up @@ -381,8 +381,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'UsedServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/Multiselect.pm
View file
Expand Up @@ -396,8 +396,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/TextArea.pm
View file
Expand Up @@ -209,8 +209,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# for server side validation
Expand Down
8 changes: 6 additions & 2 deletions Kernel/System/DynamicField/Driver/WebService.pm
View file
Expand Up @@ -359,8 +359,12 @@ EOF

if ( $Param{ServerError} ) {

my $ErrorMessage = $Param{ErrorMessage} || 'This field is required.';
$ErrorMessage = $Param{LayoutObject}->{LanguageObject}->Translate($ErrorMessage);
my $ErrorMessage = $Param{LayoutObject}->Output(
'Template' => '[% Translate(Data.ErrorMessage) | html %]',
'Data' => {
'ErrorMessage' => $Param{ErrorMessage} || 'This field is required.',
}
);
my $DivID = $FieldName . 'ServerError';

# For server side validation.
Expand Down
2 changes: 1 addition & 1 deletion var/httpd/htdocs/js/Core.Form.Validate.js
View file
Expand Up @@ -141,7 +141,7 @@ Core.Form.Validate = (function (TargetNS) {
// Get the target element and find the associated hidden div with the
// error message.
InputErrorMessageHTML = $('#' + Core.App.EscapeSelector($Element.attr('id')) + ErrorType).html();
InputErrorMessageText = $('#' + Core.App.EscapeSelector($Element.attr('id')) + ErrorType).text();
InputErrorMessageText = $('#' + Core.App.EscapeSelector($Element.attr('id')) + ErrorType + ' > p').first().html();

if (InputErrorMessageHTML && InputErrorMessageHTML.length) {
// If error field is a RTE, it is a little bit more difficult.
Expand Down

0 comments on commit 741a845

Please sign in to comment.