From 82719810d03f8c1a46ad96b4630744ddc291d341 Mon Sep 17 00:00:00 2001 From: Ahmad Gneady Date: Sun, 11 Jul 2021 01:02:27 +0200 Subject: [PATCH] Fixed stored xss vulnerability in loaded calendar event title. --- .../calendar-events-unpaid-invoice.json.php | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/app/hooks/calendar-events-unpaid-invoice.json.php b/app/hooks/calendar-events-unpaid-invoice.json.php index 605b81f..2f6bb90 100644 --- a/app/hooks/calendar-events-unpaid-invoice.json.php +++ b/app/hooks/calendar-events-unpaid-invoice.json.php @@ -3,15 +3,15 @@ Returns an array of events according to the format specified here: https://fullcalendar.io/docs/event-object */ - + define('PREPEND_PATH', '../'); @header('Content-type: application/json'); - + $hooks_dir = dirname(__FILE__); include("{$hooks_dir}/../defaultLang.php"); include("{$hooks_dir}/../language.php"); include("{$hooks_dir}/../lib.php"); - + // event config $type = 'unpaid-invoice'; $color = 'danger'; @@ -30,42 +30,42 @@ /* return this on error */ $nothing = json_encode(array()); - + /* check access */ $from = get_sql_from($table); if(!$from) { // no permission to access that table @header('HTTP/1.0 403 Forbidden'); exit($nothing); } - + $date_handler = function($dt) { $dto = DateTime::createFromFormat(DateTime::ISO8601, $dt); if($dto === false) return false; - + return date('Y-m-d H:i:s', $dto->format('U')); }; - + $start = $date_handler($_REQUEST['start']); $end = $date_handler($_REQUEST['end']); if(!$start || !$end) exit($nothing); - + $events = array(); $fields = get_sql_fields($table); - + /* * Build event start/end conditions: * if event is configured with both a startDateField and endDateField, * get events where startDateField < end and endDateField > start and startDateField <= endDateField * if event is configured with only a startDateField (default), * get events where startDateField < end and startDateField >= start - + * Here, we apply date conditions only and ignore time. * The reason is that the minimum interval for fullcalendar is 1 day. * So, there is no need to build time filters using time fields. */ $eventDatesWhere = "`{$table}`.`{$startDateField}` >= '{$start}' AND `{$table}`.`{$startDateField}` < '{$end}'"; - + if($endDateField) $eventDatesWhere = "NOT ( `{$table}`.`{$startDateField}` < '{$start}' AND `{$table}`.`{$endDateField}` < '{$start}' @@ -73,56 +73,56 @@ `{$table}`.`{$startDateField}` > '{$end}' AND `{$table}`.`{$endDateField}` > '{$end}' )"; - + $eo = array('silentErrors' => true); $res = sql( "SELECT {$fields} FROM {$from} AND ({$eventDatesWhere}) AND ({$customWhere})", $eo ); - + while($row = db_fetch_array($res)) { // preparing event title variables $replace = array(); foreach($row as $key => $value) if(is_numeric($key)) $replace['{' . ($key + 1) . '}'] = $value; $currentTitle = to_utf8(str_replace(array_keys($replace), array_values($replace), $title)); - + $events[] = array( 'id' => to_utf8($row[$pk]), 'url' => PREPEND_PATH . $table . '_view.php?Embedded=1&SelectedID=' . urlencode($row[$pk]), - + /* if a function named 'calendar_event_title' is defined (in hooks/__global.php for example), it will be called instead of using the title defined through the plugin. This is useful if you want to modify/append the default title defined for this event type based on some criteria in the data. For example to add some icon or extra info if specific criteria are met - + The calendar_event_title() function should: 1. Accept the following parameters: (string) event_type (set to current event type) (string) title (set to the default event title) (associative array) event_data (contains the event data as retrieved from this event's table) - + 2. Return a string containing the new/modified title to apply to the event, HTML is allowed */ - 'title' => function_exists('calendar_event_title') ? - call_user_func_array('calendar_event_title', array($type, $currentTitle, $row)) : - $currentTitle, - + 'title' => safe_html(function_exists('calendar_event_title') ? + call_user_func_array('calendar_event_title', array($type, $currentTitle, $row)) : + $currentTitle), + /* if a function named 'calendar_event_classes' is defined (in hooks/__global.php for example), it will be called instead of using the color classes defined through the plugin. This is useful if you want to apply CSS classes other than the default ones defined for this event type based on some criteria in the data. - + The calendar_event_classes() function should: 1. Accept the following parameters: (string) event_type (set to current event type) (string) classes (set to the default classes) (associative array) event_data (contains the event data as retrieved from this event's table) - + 2. Return a string containing CSS class names (space-separated) to apply to the event. */ 'classNames' => ( @@ -131,20 +131,20 @@ function_exists('calendar_event_classes') ? $defaultClasses ), ); - + $lastEvent = &$events[count($events) - 1]; - + // convert formatted start and end dates to ISO $lastEvent['start'] = iso_datetime($row[$startDateField]); $lastEvent['end' ] = $endDateField ? iso_datetime($row[$endDateField]) : $lastEvent['start']; - + if($allDay) { // no start/end time $lastEvent['start'] = date_only($lastEvent['start']); $lastEvent['end' ] = append_time(date_only($lastEvent['end'])); continue; } - + if($startTimeField) $lastEvent['start'] = iso_datetime( // take only the app-formatted date part of startDateField (in case it's a datetime) @@ -152,7 +152,7 @@ function_exists('calendar_event_classes') ? // append a space then fomratted startTimeField ' ' . $row[$startTimeField] ); - + if($endTimeField) $lastEvent['end'] = iso_datetime( // take only the app-formatted date part of endDateField (in case it's a datetime) @@ -161,20 +161,20 @@ function_exists('calendar_event_classes') ? ' ' . $row[$endTimeField] ); } - + /* 512: JSON_PARTIAL_OUTPUT_ON_ERROR */ echo json_encode($events, 512); - + function date_only($dt) { return substr($dt, 0, 10); } - + function iso_datetime($dt) { // if date already in the format yyyy-mm-dd? do nothing if(preg_match('/^[0-9]{4}-/', $dt)) return $dt; - + // convert app-formatted date to iso (mysql) return mysql_datetime($dt); } - + function append_time($d, $t = '23:59:59') { // if date already has time appended, return as-is if(preg_match('/\d?\d:\d?\d(:\d?\d)?\s*$/', $d)) return $d;