Fix XSS payload (add script into content)

Bump version
InfotelGLPI · Nov 8, 2022 · 4a1b30f · 4a1b30f
1 parent b5eabaa
commit 4a1b30f
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/inc/task.class.php b/inc/task.class.php
@@ -332,9 +332,14 @@ function cleanDBonPurge() {
     */
    function prepareInputForAdd($input) {
 
+
       if (isset($input['due_date']) && empty($input['due_date'])) {
          $input['due_date'] = 'NULL';
       }
+       if (isset($input['content'])) {
+        $input['content'] = Glpi\RichText\RichText::getSafeHtml($input['content'], true);
+       }
+
       if (isset($input["id"]) && ($input["id"] > 0)) {
          $input["_oldID"] = $input["id"];
       }

diff --git a/inc/tasktype.class.php b/inc/tasktype.class.php
@@ -269,7 +269,7 @@ static function getKanbanColumns($ID, $column_field = null, $column_ids = [], $g
                $content      .= "</div>";
                $rich_content = "";
                if ($data['content'] != null) {
-                  $rich_content = Glpi\RichText\RichText::getTextFromHtml($data['content'], false, true);
+                  $rich_content = Glpi\RichText\RichText::getTextFromHtml($data['content'], false, true, true);
                }
                $content .= Html::resume_text($rich_content, 100);
                $content .= "</div>";

diff --git a/setup.php b/setup.php
@@ -27,7 +27,7 @@
  --------------------------------------------------------------------------
  */
 
-define('PLUGIN_TASKLISTS_VERSION', '2.0.2');
+define('PLUGIN_TASKLISTS_VERSION', '2.0.3');
 
 if (!defined("PLUGIN_TASKLISTS_DIR")) {
    define("PLUGIN_TASKLISTS_DIR", Plugin::getPhpDir("tasklists"));

diff --git a/tasklists.xml b/tasklists.xml
@@ -25,6 +25,11 @@
         <author>Infotel</author>
     </authors>
     <versions>
+        <version>
+            <num>2.0.3</num>
+            <compatibility>~10.0</compatibility>
+            <download_url>https://github.com/InfotelGLPI/tasklists/releases/download/2.0.3/glpi-tasklists-2.0.3.tar.bz2</download_url>
+        </version>
         <version>
             <num>2.0.2</num>
             <compatibility>~10.0</compatibility>