Fix stored xss issue in nicedit (sandboxing iframes).

Prevent directory browsing of various resource folders. Improved UI in homepage.
bigprof-software · Jul 10, 2021 · f899a23 · f899a23
1 parent 3edc6c5
commit f899a23
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 5 deletions.
diff --git a/app/admin/incFunctions.php b/app/admin/incFunctions.php
@@ -1691,7 +1691,12 @@ function safe_html($str, $noBr = false) {
 		if($str == strip_tags($str)) return $noBr ? $str : nl2br($str);
 
 		$hc = new CI_Input(datalist_db_encoding);
-		return $hc->xss_clean(bgStyleToClass($str));
+		$str = $hc->xss_clean(bgStyleToClass($str));
+
+		// sandbox iframes
+		$str = preg_replace('/(<|&lt;)iframe(.*?)(>|&gt;)/i', '$1iframe sandbox $2$3', $str);
+
+		return $str;
 	}
 	#########################################################
 	function getLoggedGroupID() {

diff --git a/app/admin/pageServerStatus.php b/app/admin/pageServerStatus.php
@@ -1,6 +1,6 @@
 <?php
 	$appgini_version = '6.0.1145';
-	$generated_ts = '3/7/2021 7:31:31 PM';
+	$generated_ts = '10/7/2021 9:20:39 PM';
 
 	$currDir = dirname(__FILE__);
 	require("{$currDir}/incCommon.php");

diff --git a/app/home.php b/app/home.php
@@ -124,8 +124,8 @@
 									<?php if($can_insert && $tChkAHAN !== false && $tChkAHAN !== null) { ?>
 
 										<div class="btn-group" style="width: 100%;">
-										   <a style="width: 85%;" class="btn btn-lg <?php echo (!$i ? $block_classes['first']['link'] : $block_classes['other']['link']); ?>" title="<?php echo preg_replace("/&amp;(#[0-9]+|[a-z]+);/i", "&$1;", html_attr(strip_tags($tc['Description']))); ?>" href="<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?>"><?php echo ($tc['tableIcon'] ? '<img src="' . $tc['tableIcon'] . '">' : '');?><strong class="table-caption"><?php echo $tc['Caption']; ?></strong><?php echo $count_badge; ?></a>
-										   <a id="<?php echo $tn; ?>_add_new" style="width: 15%; padding-right: 0.1rem; padding-left: 0.1rem;" class="btn btn-add-new btn-lg <?php echo (!$i ? $block_classes['first']['link'] : $block_classes['other']['link']); ?>" title="<?php echo html_attr($Translation['Add New']); ?>" href="<?php echo $tn; ?>_view.php?addNew_x=1"><i style="vertical-align: bottom;" class="glyphicon glyphicon-plus"></i></a>
+										   <a style="width: calc(100% - 3.5em);" class="btn btn-lg <?php echo (!$i ? $block_classes['first']['link'] : $block_classes['other']['link']); ?>" title="<?php echo preg_replace("/&amp;(#[0-9]+|[a-z]+);/i", "&$1;", html_attr(strip_tags($tc['Description']))); ?>" href="<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?>"><?php echo ($tc['tableIcon'] ? '<img src="' . $tc['tableIcon'] . '">' : '');?><strong class="table-caption"><?php echo $tc['Caption']; ?></strong><?php echo $count_badge; ?></a>
+										   <a id="<?php echo $tn; ?>_add_new" style="width: 3.5em; padding-right: 0.1rem; padding-left: 0.1rem;" class="btn btn-add-new btn-lg <?php echo (!$i ? $block_classes['first']['link'] : $block_classes['other']['link']); ?>" title="<?php echo html_attr($Translation['Add New']); ?>" href="<?php echo $tn; ?>_view.php?addNew_x=1"><i style="vertical-align: bottom;" class="glyphicon glyphicon-plus"></i></a>
 										</div>
 									<?php } else { ?>
 

diff --git a/app/resources/bootstrap-datetimepicker/index.html b/app/resources/bootstrap-datetimepicker/index.html
diff --git a/app/resources/hotkeys/index.html b/app/resources/hotkeys/index.html
diff --git a/app/resources/moment/index.html b/app/resources/moment/index.html
diff --git a/online-invoicing-system.axp b/online-invoicing-system.axp