From bce1fb419c317c254e3542adf3f765b0444b9557 Mon Sep 17 00:00:00 2001 From: Michael Larabel Date: Sat, 11 Jun 2022 05:52:47 -0500 Subject: [PATCH] pts-core: Additional input sanitization work in the result viewer code for those using Phoromatic or those changing the default setting for opting for non-local access to the local result viewer --- pts-core/objects/pts_result_viewer_embed.php | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pts-core/objects/pts_result_viewer_embed.php b/pts-core/objects/pts_result_viewer_embed.php index 8e697a5001..62d6d8dd9a 100644 --- a/pts-core/objects/pts_result_viewer_embed.php +++ b/pts-core/objects/pts_result_viewer_embed.php @@ -860,6 +860,8 @@ public static function get_html_options_markup(&$result_file, &$request, $public $si = $sys->get_identifier(); $ppdx = rtrim(base64_encode($si), '='); $ppd = self::check_request_for_var($request, 'ppd_' . $ppdx); + $ppd = is_numeric($ppd) && $ppd > 0 ? $ppd : 0; + $t .= '
'; if($system_count > 1) @@ -1225,6 +1227,15 @@ public static function check_request_for_var(&$request, $check) $ret = str_replace('_DD_', '.', $ret); } + foreach(pts_strings::safety_strings_to_reject() as $invalid_string) + { + if(stripos($ret, $invalid_string) !== false) + { + echo 'Exited due to invalid input ( ' . $invalid_string . ') attempted: ' . htmlspecialchars($ret); + exit; + } + } + return $ret; } public static function process_request_to_attributes(&$request, &$result_file, &$extra_attributes) @@ -1531,7 +1542,7 @@ public static function process_request_to_attributes(&$request, &$result_file, & } public static function html_input_field($name, $id, $on_change = null) { - return ''; + return ''; } public static function html_select_menu($name, $id, $on_change, $elements, $use_index = true, $other_attributes = array(), $selected = false) {