Merge branch 'ent-7887-Vulnerabilidad-xss-en-operaciones-masivas-de-módulos' into 'develop'

Ent 7887 vulnerabilidad xss en operaciones masivas de módulos

See merge request artica/pandorafms!4365

pandora_console/godmode/massive/massive_copy_modules.php

@@ -404,7 +404,8 @@ $(document).ready (function () {
             "get_agent_modules_json" : 1,
             "get_id_and_name" : 1,
             "disabled" : 0,
-            "id_agent" : id_agent
+            "id_agent" : id_agent,
+            "safe_name": 1,
         };
 
         var tags_to_search = $('#tags').val();
@@ -434,7 +435,7 @@ $(document).ready (function () {
                     jQuery.each (data, function (i, val) {
                         option = $("<option></option>")
                             .attr ("value", val["id_agente_modulo"])
-                            .append (val["nombre"]);
+                            .append (val["safe_name"]);
                         $("#target_modules").append (option);
                     });
                     

pandora_console/godmode/massive/massive_delete_modules.php

@@ -685,7 +685,8 @@ $(document).ready (function () {
             "get_agent_modules_json" : 1,
             "get_distinct_name" : 1,
             "indexed" : 0,
-            "privilege" : "AW"
+            "privilege" : "AW",
+            "safe_name": 1
         };
         
         if (this.value != '0')
@@ -712,7 +713,7 @@ $(document).ready (function () {
                 jQuery.each (data, function (id, value) {
                     option = $("<option></option>")
                         .attr("value", value["nombre"])
-                        .html(value["nombre"]);
+                        .html(value["safe_name"]);
                     $("#module_name").append (option);
                 });
                 hideSpinner();

pandora_console/godmode/massive/massive_edit_modules.php

@@ -1326,12 +1326,13 @@ $(document).ready (function () {
             "page" : "operation/agentes/ver_agente",
             "get_agent_modules_json" : 1,
             "get_distinct_name" : 1,
-            "indexed" : 0
+            "indexed" : 0,
+            "safe_name" : 1
         };
-        
+
         if (this.value != '0')
             params['id_tipo_modulo'] = this.value;
-        
+
         var status_module = $('#status_module').val();
         if (status_module != '-1')
             params['status_module'] = status_module;
@@ -1342,16 +1343,16 @@ $(document).ready (function () {
                 params['tags'] = tags_to_search;
             }
         }
-        
+
         showSpinner();
         $("tr#delete_table-edit1, tr#delete_table-edit0, tr#delete_table-edit2").hide ();
         $("#module_name").attr ("disabled", "disabled")
-        $("#module_name option[value!=0]").remove ();
+        $("#module_name option[value!=0]").remove();
         jQuery.post ("ajax.php",
             params,
             function (data, status) {
                 jQuery.each (data, function (id, value) {
-                    option = $("<option></option>").attr ("value", value["nombre"]).html (value["nombre"]);
+                    option = $("<option></option>").attr("value", value["nombre"]).html(value["safe_name"]);
                     $("#module_name").append (option);
                 });
                 hideSpinner();

pandora_console/operation/agentes/ver_agente.php

@@ -887,6 +887,8 @@ if (is_ajax()) {
 
         $tags = (array) get_parameter('tags', []);
 
+        $safe_name = (bool) get_parameter('safe_name', false);
+
         // Filter.
         $filter = [];
         if ($disabled !== -1) {
@@ -1024,6 +1026,9 @@ if (is_ajax()) {
 
         foreach ($agent_modules as $key => $module) {
             $agent_modules[$key]['nombre'] = io_safe_output($module['nombre']);
+            if ($safe_name == true) {
+                $agent_modules[$key]['safe_name'] = $module['nombre'];
+            }
         }
 
         $get_order_json = (bool) get_parameter('get_order_json', false);