- fix multiple sanitation issues

Leantime · Aug 30, 2021 · 7cbdbf7 · 7cbdbf7 · scgajge12 · Aug 31, 2022
1 parent 8a42373
commit 7cbdbf7
Show file tree

Hide file tree

Showing 7 changed files with 10 additions and 11 deletions.
diff --git a/src/domain/calendar/templates/addEvent.tpl.php b/src/domain/calendar/templates/addEvent.tpl.php
@@ -26,7 +26,7 @@
             <form action="" method="post" class='stdform'>
 
                 <label for="description"><?php echo $this->__('label.title') ?></label>
-                <input type="text" id="description" name="description" value="<?php echo $values['description']; ?>" /><br />
+                <input type="text" id="description" name="description" value="<?php $this->e($values['description']); ?>" /><br />
 
                 <div class="par">
                     <label for="dateFrom"><?php echo $this->__('label.start_date') ?></label>

diff --git a/src/domain/ideas/templates/ideaDialog.tpl.php b/src/domain/ideas/templates/ideaDialog.tpl.php
@@ -42,10 +42,9 @@ class="iconfa iconfa-columns"></i>
         <input type="text" name="description" value="<?php $this->e($canvasItem['description']); ?>"
                placeholder="<?php echo $this->__("input.placeholders.short_name") ?>"/><br/>
 
-
         <label><?php echo $this->__("label.description") ?></label>
         <textarea rows="3" cols="10" name="data" class="ideaTextEditor"
-                  placeholder=""><?php echo $canvasItem['data'] ?></textarea><br/>
+                  placeholder=""><?php $this->e($canvasItem['data']) ?></textarea><br/>
 
         <input type="hidden" name="milestoneId" value="<?php echo $canvasItem['milestoneId'] ?>"/>
         <input type="hidden" name="changeItem" value="1"/>

diff --git a/src/domain/leancanvas/templates/canvasDialog.tpl.php b/src/domain/leancanvas/templates/canvasDialog.tpl.php
@@ -30,7 +30,7 @@
         <input type="hidden" value="<?php echo $canvasItem['box'] ?>" name="box" id="box"/>
         <input type="hidden" value="<?php echo $id ?>" name="itemId" id="itemId"/>
         <label><?=$this->__("label.hypothesis") ?></label>
-        <input type="text" name="description" value="<?php echo $canvasItem['description'] ?>" placeholder="<?=$this->__("input.placeholders.describe_hypothesis") ?>" style="width:100%"/><br />
+        <input type="text" name="description" value="<?php $this->e($canvasItem['description']) ?>" placeholder="<?=$this->__("input.placeholders.describe_hypothesis") ?>" style="width:100%"/><br />
         <label><?=$this->__("label.status") ?></label>
         <select name="status">
             <option value="danger" <?php if($canvasItem['status'] == 'danger') {echo"selected='selected' ";

diff --git a/src/domain/leancanvas/templates/delCanvasItem.tpl.php b/src/domain/leancanvas/templates/delCanvasItem.tpl.php
@@ -1,12 +1,12 @@
 <?php
 defined('RESTRICTED') or die('Restricted access');
 $ticket = $this->get('ticket');
-
+$id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
 ?>
 
 <h4 class="widgettitle title-light"><?=$this->__("subtitles.delete") ?></h4>
 
-<form method="post" action="<?=BASE_URL ?>/leancanvas/delCanvasItem/<?php echo $_GET['id']?>">
+<form method="post" action="<?=BASE_URL ?>/leancanvas/delCanvasItem/<?php echo $id; ?>">
     <p><?php echo $this->__('text.confirm_research_board_item_deletion'); ?></p><br />
     <input type="submit" value="<?php echo $this->__('buttons.yes_delete'); ?>" name="del" class="button" />
     <a class="btn btn-secondary" href="<?=BASE_URL ?>/leancanvas/simpleCanvas"><?php echo $this->__('buttons.back'); ?></a>

diff --git a/src/domain/retrospectives/templates/retroDialog.tpl.php b/src/domain/retrospectives/templates/retroDialog.tpl.php
@@ -37,11 +37,11 @@
         <input type="hidden" value="<?php echo $canvasItem['box'] ?>" name="box" id="box"/>
         <input type="hidden" value="<?php echo $id ?>" name="itemId" id="itemId"/>
         <label><?php echo $this->__("label.description") ?></label>
-        <input type="text" name="description" value="<?php echo $canvasItem['description'] ?>" placeholder="<?php echo $this->__("input.placeholders.describe_situation") ?>"/><br />
+        <input type="text" name="description" value="<?php $this->e($canvasItem['description']); ?>" placeholder="<?php echo $this->__("input.placeholders.describe_situation") ?>"/><br />
 
 
         <label><?php echo $this->__("label.examples") ?></label>
-        <textarea rows="3" cols="10" name="data" class="modalTextArea" placeholder="<?php echo $this->__("input.placeholders.list_examples") ?>"><?php echo $canvasItem['data'] ?></textarea><br />
+        <textarea rows="3" cols="10" name="data" class="modalTextArea" placeholder="<?php echo $this->__("input.placeholders.list_examples") ?>"><?php $this->e($canvasItem['data']); ?></textarea><br />
 
         <input type="hidden" name="milestoneId" value="<?php echo $canvasItem['milestoneId'] ?>" />
         <input type="hidden" name="changeItem" value="1" />

diff --git a/src/domain/setting/templates/editBoxDialog.tpl.php b/src/domain/setting/templates/editBoxDialog.tpl.php
@@ -8,7 +8,7 @@
     echo $this->displayNotification();
 ?>
 
-<form class="editLabelModal" method="post" action="<?=BASE_URL ?>/setting/editBoxLabel?module=<?php echo $_GET['module']?>&label=<?php echo $_GET['label']?>">
+<form class="editLabelModal" method="post" action="<?=BASE_URL ?>/setting/editBoxLabel?module=<?php $this->e($_GET['module']) ?>&label=<?php  $this->e($_GET['label']) ?>">
 
     <label><?=$this->__("label.label")?></label>
     <input type="text" name="newLabel" value="<?php echo $currentLabel; ?>" /><br />

diff --git a/src/domain/timesheets/templates/showMy.tpl.php b/src/domain/timesheets/templates/showMy.tpl.php
@@ -324,8 +324,8 @@
                             ?>
 
                                 <tr class="gradeA timesheetRow">
-                                    <td width="14%"><?php echo $timeRow["name"]; ?></td>
-                                    <td width="14%"><?php echo $timeRow["headline"]; ?></td>
+                                    <td width="14%"><?php $this->e($timeRow["name"]); ?></td>
+                                    <td width="14%"><?php $this->e($timeRow["headline"]); ?></td>
                                     <td width="10%"><?php echo $this->__($this->get('kind')[$timeRow['kind']]); ?></td>
                                     <?php $currentDate = $dateFrom->format('Y-m-d'); ?>
                                     <td width="7%" class="rowMo <?php if($today == $currentDate)echo"active"; ?>" <?php if($today == $currentDate)echo"active"; ?>><input type="text" class="<?php echo $timeRow["workDates"]; ?> hourCell" name="<?php echo $timeRow["ticketId"];?>|<?php if(in_array($currentDate, $workDatesArray) == true) echo "existing"; else echo "new";?>|<?php echo $currentDate ?>|<?php echo $timeRow["kind"];?>" value="<?php echo $timeRow["hoursMonday"]; ?>" /></td>