Fix Multiple Stored XSS on featuers 'Milestones' , 'Research', 'Retro…

…spective' Disclosure: https://huntr.dev/bounties/1cc6d108-3827-4b62-bcf2-24192af7057d/
Leantime · Nov 13, 2021 · 22a6daa · 22a6daa
1 parent b81a3f3
commit 22a6daa
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 6 deletions.
diff --git a/src/domain/leancanvas/templates/canvasDialog.tpl.php b/src/domain/leancanvas/templates/canvasDialog.tpl.php
@@ -19,7 +19,7 @@
 
 <div class="showDialogOnLoad" style="display:none;">
 
-    <h4 class="widgettitle title-light"><i class="iconfa iconfa-columns"></i> <?php echo $canvasTypes[$canvasItem['box']]; ?> <?php echo $canvasItem['description']; ?></h4>
+    <h4 class="widgettitle title-light"><i class="iconfa iconfa-columns"></i> <?php echo $canvasTypes[$canvasItem['box']]; ?> <?php $this->e($canvasItem['description']); ?></h4>
 
     <?php echo $this->displayNotification(); ?>
 

diff --git a/src/domain/retrospectives/templates/showBoards.tpl.php b/src/domain/retrospectives/templates/showBoards.tpl.php
@@ -101,7 +101,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>
@@ -199,7 +199,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>
@@ -297,7 +297,7 @@
                                                 </div>
                                             <?php } ?>
 
-                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php echo $row["description"];?></a></h4>
+                                            <h4><a href="<?=BASE_URL ?>/retrospectives/retroDialog/<?php echo $row["id"];?>" class="retroModal"  data="item_<?php echo $row["id"];?>"><?php $this->e($row["description"]);?></a></h4>
 
                                             <div class="mainIdeaContent">
                                                 <?php  $this->e($row["data"]); ?>

diff --git a/src/domain/tickets/js/ticketsController.js b/src/domain/tickets/js/ticketsController.js
@@ -78,6 +78,10 @@ leantime.ticketsController = (function () {
 
     var initGanttChart = function (tasks, viewMode) {
 
+        function htmlEntities(str) {
+            return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+        };
+
         jQuery(document).ready(
             function () {
 
@@ -88,7 +92,7 @@ leantime.ticketsController = (function () {
                             // dates and progress value
                             var end_date = task._end.format(leantime.i18n.__("language.momentJSDate"));
                             return '<div class="details-container"> ' +
-                            '<h4><a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal">'+task.name+'</a></h4><br /> ' +
+                            '<h4><a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal">'+htmlEntities(task.name)+'</a></h4><br /> ' +
                             '<p>'+leantime.i18n.__("text.expected_to_finish_by")+' <strong>'+end_date+'</strong><br /> ' +
                             ''+Math.round(task.progress)+'%</p> ' +
                             '<a href="'+leantime.appUrl+'/tickets/editMilestone/'+task.id+'" class="milestoneModal"><span class="fa fa-map"></span> '+leantime.i18n.__("links.edit_milestone") +'</a> | ' +

diff --git a/src/domain/tickets/templates/milestoneDialog.tpl.php b/src/domain/tickets/templates/milestoneDialog.tpl.php
@@ -26,7 +26,7 @@
     <form class="formModal" method="post" action="<?=BASE_URL ?>/tickets/editMilestone/<?php echo $currentMilestone->id ?>" style="min-width: 250px;">
 
         <label><?=$this->__("label.milestone_title"); ?></label>
-        <input type="text" name="headline" value="<?php echo $currentMilestone->headline?>" placeholder="<?=$this->__("label.milestone_title"); ?>"/><br />
+        <input type="text" name="headline" value="<?php $this->e($currentMilestone->headline) ?>" placeholder="<?=$this->__("label.milestone_title"); ?>"/><br />
 
         <label><?php echo $this->__('label.todo_status'); ?></label>
         <select id="status-select" name="status" class="span11"