tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed with a 'work around' in io_safe_output for the SQL items in the reports.

This commit is contained in:
mdtrooper 2015-02-17 15:09:22 +01:00
parent 6b5ab72c05
commit 8b232ead56
3 changed files with 56 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
pandora_console/include/functions_io.php
View File

@ -249,6 +249,54 @@ function io_safe_output($value, $utf8 = true)
return $valueHtmlEncode;
}
//----------------------------------------------------------
// Work arround.
//
// It is the function from 6.0 and it is used in this
// part of code only.
//----------------------------------------------------------
function patched_io_safe_output($value, $utf8 = true) {
if (is_numeric($value))
return $value;
if (is_array($value)) {
array_walk($value, "io_safe_output_array");
return $value;
}
if (! mb_check_encoding ($value, 'UTF-8'))
$value = utf8_encode ($value);
//Replace the html entitie of ( for the char
$value = str_replace("(", '(', $value);
//Replace the html entitie of ) for the char
$value = str_replace(")", ')', $value);
//Replace the html entitie of < for the char
$value = str_replace("&lt;", '<', $value);
//Replace the html entitie of > for the char
$value = str_replace("&gt;", '>', $value);
//Revert html entities to chars
for ($i = 0; $i < 33; $i++) {
$value = str_ireplace("&#x" . dechex($i) . ";",
io_html_to_ascii(dechex($i)), $value);
}
if ($utf8) {
$value = html_entity_decode ($value, ENT_QUOTES, "UTF-8");
}
else {
$value = html_entity_decode ($value, ENT_QUOTES);
}
return $value;
}
//----------------------------------------------------------
/**
* Convert the $value encode in html entity to clear char string. This function
* should be called always to "clean" HTML encoded data; to render to a text

12
pandora_console/include/functions_reporting.php
View File

@ -4635,7 +4635,7 @@ function reporting_render_report_html_item ($content, $table, $report, $mini = f
}
$table->colspan[$next_row][0] = 3;
$table2->class = 'databox';
$table2->width = '100%';
@ -4645,21 +4645,23 @@ function reporting_render_report_html_item ($content, $table, $report, $mini = f
$table2->head = explode('|', $content['header_definition']);
}
if ($content['treport_custom_sql_id'] != 0) {
switch ($config["dbtype"]) {
case "mysql":
$sql = io_safe_output (db_get_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
$sql = patched_io_safe_output (db_get_value_filter('`sql`', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
break;
case "postgresql":
$sql = io_safe_output (db_get_value_filter('"sql"', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
$sql = patched_io_safe_output (db_get_value_filter('"sql"', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
break;
case "oracle":
$sql = io_safe_output (db_get_value_filter('sql', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
$sql = patched_io_safe_output (db_get_value_filter('sql', 'treport_custom_sql', array('id' => $content['treport_custom_sql_id'])));
break;
}
}
else {
$sql = io_safe_output ($content['external_source']);
$sql = patched_io_safe_output ($content['external_source']);
}
// Do a security check on SQL coming from the user

2
pandora_console/operation/reporting/reporting_xml.php
View File

@ -698,7 +698,7 @@ foreach ($contents as $content) {
$sql = $content['external_source'];
}
$sql = safe_output ($sql);
$sql = patched_io_safe_output($sql);
$result = db_get_all_rows_sql($sql);
if ($result === false) {
$result = array();