tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-31 01:35:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix events view XSS vulnerabilities

Browse Source
This commit is contained in:
Calvo 2022-11-22 15:54:19 +01:00
parent a48e677b80
commit 5aa51f28de
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pandora_console/godmode/events/event_edit_filter.php
View File

@ -370,7 +370,7 @@ $table->data[5][1] = html_print_select(
$table->data[6][0] = '<b>'.__('Free search').'</b>'; $table->data[6][0] = '<b>'.__('Free search').'</b>';
$table->data[6][1] = html_print_input_text( $table->data[6][1] = html_print_input_text(
'search', 'search',
io_safe_output($search), $search,
'', '',
15, 15,
255, 255,

4
pandora_console/include/functions_events.php
View File

@ -1123,13 +1123,13 @@ function events_get_all(
$sql_filters[] = sprintf( $sql_filters[] = sprintf(
' AND JSON_VALID(custom_data) = 1 ' AND JSON_VALID(custom_data) = 1
AND (JSON_EXTRACT(custom_data, "$.*") LIKE lower("%%%s%%") COLLATE utf8mb4_0900_ai_ci) ', AND (JSON_EXTRACT(custom_data, "$.*") LIKE lower("%%%s%%") COLLATE utf8mb4_0900_ai_ci) ',
io_safe_output($filter['custom_data']) io_safe_output_html($filter['custom_data'])
); );
} else { } else {
$sql_filters[] = sprintf( $sql_filters[] = sprintf(
' AND JSON_VALID(custom_data) = 1 ' AND JSON_VALID(custom_data) = 1
AND (JSON_SEARCH(JSON_KEYS(custom_data), "all", lower("%%%s%%") COLLATE utf8mb4_0900_ai_ci) IS NOT NULL) ', AND (JSON_SEARCH(JSON_KEYS(custom_data), "all", lower("%%%s%%") COLLATE utf8mb4_0900_ai_ci) IS NOT NULL) ',
io_safe_output($filter['custom_data']) io_safe_output_html($filter['custom_data'])
); );
} }
} else { } else {

6
pandora_console/operation/events/events.php
View File

@ -2880,11 +2880,11 @@ $(document).ready( function() {
$("#text-event_view_hr").on("keyup",function(){ $("#text-event_view_hr").on("keyup",function(){
hours = $('#text-event_view_hr').val(); hours = $('#text-event_view_hr').val();
if (hours == '' || hours == 0 ) { if (hours == '' || hours == 0 ) {
$('#summary_hours').html('<?php echo __('Any'); ?>'); $('#summary_hours').text('<?php echo __('Any'); ?>');
} else if (hours == 1) { } else if (hours == 1) {
$('#summary_hours').html('<?php echo __('Last hour.'); ?>'); $('#summary_hours').text('<?php echo __('Last hour.'); ?>');
} else { } else {
$('#summary_hours').html(hours + '<?php echo ' '.__('hours.'); ?>'); $('#summary_hours').text(hours + '<?php echo ' '.__('hours.'); ?>');
} }
}); });