[Fusionforge-commits] FusionForge branch master updated. v6.0.2-223-gf5280b6
Alain Peyrat
aljeux at libremir.placard.fr.eu.org
Wed Sep 9 21:11:02 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, master has been updated
via f5280b629495081c72938074f19ab9f9b5fbac5a (commit)
via 106612c1d7395aa9437f72c968a4c87b12540c92 (commit)
from ea59138f0746504c6e8a045a2c1d6c0fbdcd1d36 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=f5280b629495081c72938074f19ab9f9b5fbac5a
commit f5280b629495081c72938074f19ab9f9b5fbac5a
Author: Alain Peyrat <aljeux at free.fr>
Date: Wed Sep 9 21:10:47 2015 +0200
Fix XSS in date
diff --git a/src/www/activity/index.php b/src/www/activity/index.php
index c1c5921..728e126 100644
--- a/src/www/activity/index.php
+++ b/src/www/activity/index.php
@@ -202,12 +202,12 @@ echo html_e('input', array('type' => 'hidden', 'name' => 'group_id', 'value' =>
<div id="activity_startdate" >
<div id="activity_label_startdate"><?php echo _('Start Date')._(':'); ?></div>
-<input name="start_date" value="<?php echo $rendered_begin; ?>" size="10" maxlength="10" />
+<input name="start_date" value="<?php echo util_html_encode($rendered_begin) ?>" size="10" maxlength="10" />
</div>
<div id="activity_enddate" >
<div id="activity_label_enddate"><?php echo _('End Date')._(':'); ?></div>
-<input name="end_date" value="<?php echo $rendered_end; ?>" size="10" maxlength="10" />
+<input name="end_date" value="<?php echo util_html_encode($rendered_end) ?>" size="10" maxlength="10" />
</div>
<div id="activity_submit" >
@@ -390,5 +390,4 @@ echo $HTML->closeForm();
echo '</div>';
}
-
site_project_footer();
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=106612c1d7395aa9437f72c968a4c87b12540c92
commit 106612c1d7395aa9437f72c968a4c87b12540c92
Author: Alain Peyrat <aljeux at free.fr>
Date: Wed Sep 9 21:10:08 2015 +0200
Fix XSS
diff --git a/src/common/tracker/actions/csv.php b/src/common/tracker/actions/csv.php
index 924691d..931a049 100644
--- a/src/common/tracker/actions/csv.php
+++ b/src/common/tracker/actions/csv.php
@@ -62,7 +62,7 @@ if (session_loggedin()) {
}
$headers = getIntFromRequest('headers', $default['headers']);
-$sep = getStringFromRequest('sep', $default['sep']);
+$sep = getFilteredStringFromRequest('sep', '/^[,;]$/', $default['sep']);
if (session_loggedin()) {
if ( ($sep !== $default['sep']) || ($headers !== $default['headers']) ) {
@@ -76,7 +76,7 @@ $url_set_format = '/tracker/?group_id='.$group_id.'&atid='.$ath->getID().'&a
$url_export = '/tracker/?group_id='.$group_id.'&atid='.$ath->getID().'&func=downloadcsv&sep='.urlencode($sep).'&headers='.$headers;
$format = $headers ? ' with headers' : ' without headers';
-$format .= " using '$sep' as separator.";
+$format .= " using '".htmlentities($sep)."' as separator.";
?>
<p><?php echo _('This page allows you to export the items using a CSV (<a href="http://en.wikipedia.org/wiki/Comma-separated_values">Comma Separated Values</a>) File. This format can be used to view your entries using your favorite spreadsheet software.'); ?></p>
<h2><?php echo _('Export as a CSV file'); ?></h2>
diff --git a/src/common/tracker/actions/downloadcsv.php b/src/common/tracker/actions/downloadcsv.php
index 280d92c..930113a 100644
--- a/src/common/tracker/actions/downloadcsv.php
+++ b/src/common/tracker/actions/downloadcsv.php
@@ -23,7 +23,7 @@ require_once $gfcommon.'tracker/ArtifactFactory.class.php';
global $ath;
$headers = getIntFromRequest('headers');
-$sep = getStringFromRequest('sep', ',');
+$sep = getFilteredStringFromRequest('sep', '/^[,;]$/', ',');
$date = date('Y-m-d');
diff --git a/src/www/pm/csv.php b/src/www/pm/csv.php
index 6b8d36e..94b60a0 100644
--- a/src/www/pm/csv.php
+++ b/src/www/pm/csv.php
@@ -62,7 +62,7 @@ if (session_loggedin()) {
$headers = getIntFromRequest('headers', $default['headers']);
$full = getIntFromRequest('full', $default['full']);
-$sep = getStringFromRequest('sep', $default['sep']);
+$sep = getFilteredStringFromRequest('sep', '/^[,;]$/', $default['sep']);
if (session_loggedin()) {
if ( ($sep !== $default['sep']) || ($headers !== $default['headers']) ) {
@@ -73,7 +73,7 @@ if (session_loggedin()) {
$format = $full ? "Full CSV" : "Normal CSV";
$format .= $headers ? ' with headers' : ' without headers';
-$format .= " using '$sep' as separator.";
+$format .= " using '".htmlentities($sep)."' as separator.";
echo html_e('p', array(), _('This page allows you to export or import all the tasks using a CSV (<a href="http://en.wikipedia.org/wiki/Comma-separated_values">Comma Separated Values</a>) File. This format can be used to view tasks using Microsoft Excel.'));
echo html_e('h2', array(), _('Export tasks as a CSV file'));
diff --git a/src/www/pm/downloadcsv.php b/src/www/pm/downloadcsv.php
index 2ad60f2..42678ed 100644
--- a/src/www/pm/downloadcsv.php
+++ b/src/www/pm/downloadcsv.php
@@ -84,7 +84,7 @@ require_once $gfcommon.'pm/ProjectTaskFactory.class.php';
$headers = getIntFromRequest('headers');
$full = getIntFromRequest('full');
-$sep = getStringFromRequest('sep', ',');
+$sep = getFilteredStringFromRequest('sep', '/^[,;]$/', ',');
$date = date('Y-m-d');
-----------------------------------------------------------------------
Summary of changes:
src/common/tracker/actions/csv.php | 4 ++--
src/common/tracker/actions/downloadcsv.php | 2 +-
src/www/activity/index.php | 5 ++---
src/www/pm/csv.php | 4 ++--
src/www/pm/downloadcsv.php | 2 +-
5 files changed, 8 insertions(+), 9 deletions(-)
hooks/post-receive
--
FusionForge
More information about the Fusionforge-commits
mailing list