Skip to content

Commit e7a8eeb

Browse files
RussHRussH
authored
update for XSS restrictions (#586)
* https://github.com/Sakura-501/Opencats-0.9.7-Vulnerabilities/blob/d085fe2a26d10d6009a73d66fb7319fd4a2ba426/Opencats-0.9.7-sql%20injection%20in%20viewerrors-importID.md * Opencats-0.9.7-Reflected XSS in onChangeTag * Opencats-0.9.7-Stored XSS in Calendar-Add-Event.md * Update CalendarUI.php update the XSS fix * Updated internal module(UI).php elements to restrict XSS * updated Calendar XSS fix to use function, incremented version. Signed-off-by: RussH <russellh@ysmail.net> --------- Signed-off-by: RussH <russellh@ysmail.net>
1 parent df7e373 commit e7a8eeb

File tree

20 files changed

+166
-165
lines changed

20 files changed

+166
-165
lines changed

ajax.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* CATS
44
* AJAX Delegation Module
55
*
6-
* CATS Version: 0.9.6
6+
* CATS Version: 0.9.7.1
77
*
88
* Copyright (C) 2005 - 2007 Cognizo Technologies, Inc.
99
*

careers/index.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* CATS
44
* Careers Page Display Module
55
*
6-
* CATS Version: 0.9.6
6+
* CATS Version: 0.9.7.1
77
*
88
* Copyright (C) 2005 - 2007 Cognizo Technologies, Inc.
99
*

constants.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242

4343
/* CATS Version */
4444

45-
define('CATS_VERSION', '0.9.6');
45+
define('CATS_VERSION', '0.9.7.1');
4646

4747

4848
/* Copyright information at bottom of pages. */

index.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* CATS
44
* Index (Delegation Module)
55
*
6-
* CATS Version: 0.9.6
6+
* CATS Version: 0.9.7.1
77
*
88
* Copyright (C) 2005 - 2007 Cognizo Technologies, Inc.
99
*

lib/UserInterface.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -389,7 +389,7 @@ protected function getSanitisedInput($key, $request)
389389
{
390390
if (isset($request[$key]))
391391
{
392-
return trim(htmlspecialchars($request[$key], ENT_QUOTES));
392+
return trim(htmlspecialchars($request[$key], ENT_QUOTES, FALSE));
393393
}
394394
return '';
395395
}

modules/activity/dataGrids.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* CATS
44
* Contacts Datagrid
55
*
6-
* CATS Version: 0.9.6
6+
* CATS Version: 0.9.7.1
77
*
88
* Copyright (C) 2005 - 2007 Cognizo Technologies, Inc.
99
*

modules/calendar/CalendarUI.php

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -392,11 +392,10 @@ private function onAddEvent()
392392

393393
$publicEntry = $this->isChecked('publicEntry', $_POST);
394394
$reminderEnabled = $this->isChecked('reminderToggle', $_POST);
395-
396-
$description = $this->getTrimmedInput('description', $_POST);
397-
$title = $this->getTrimmedInput('title', $_POST);
398-
$reminderEmail = $this->getTrimmedInput('sendEmail', $_POST);
399-
$reminderTime = $this->getTrimmedInput('reminderTime', $_POST);
395+
$description = $this->getSanitisedInput('description', $_POST);
396+
$title = $this->getSanitisedInput('title', $_POST);
397+
$reminderEmail = $this->getSanitisedInput('sendEmail', $_POST);
398+
$reminderTime = $this->getSanitisedInput('reminderTime', $_POST);
400399

401400
// FIXME: Reminder time must be an integer!
402401

@@ -583,9 +582,9 @@ private function onEditEvent()
583582
$publicEntry = $this->isChecked('publicEntry', $_POST);
584583
$reminderEnabled = $this->isChecked('reminderToggle', $_POST);
585584

586-
$description = $this->getTrimmedInput('description', $_POST);
587-
$title = $this->getTrimmedInput('title', $_POST);
588-
$reminderEmail = $this->getTrimmedInput('sendEmail', $_POST);
585+
$description = $this->getSanitisedInput('description', $_POST);
586+
$title = $this->getSanitisedInput('title', $_POST);
587+
$reminderEmail = $this->getSanitisedInput('sendEmail', $_POST);
589588
$reminderTime = $this->getTrimmedInput('reminderTime', $_POST);
590589

591590
// FIXME: Reminder time must be an integer!

modules/candidates/CandidatesUI.php

Lines changed: 44 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -899,27 +899,27 @@ public function checkParsingFunctions()
899899

900900
// Retain all field data since this isn't done over AJAX (yet)
901901
$fields = array(
902-
'firstName' => $this->getTrimmedInput('firstName', $_POST),
903-
'middleName' => $this->getTrimmedInput('middleName', $_POST),
904-
'lastName' => $this->getTrimmedInput('lastName', $_POST),
905-
'email1' => $this->getTrimmedInput('email1', $_POST),
906-
'email2' => $this->getTrimmedInput('email2', $_POST),
907-
'phoneHome' => $this->getTrimmedInput('phoneHome', $_POST),
908-
'phoneCell' => $this->getTrimmedInput('phoneCell', $_POST),
909-
'phoneWork' => $this->getTrimmedInput('phoneWork', $_POST),
910-
'address' => $this->getTrimmedInput('address', $_POST),
911-
'city' => $this->getTrimmedInput('city', $_POST),
912-
'state' => $this->getTrimmedInput('state', $_POST),
913-
'zip' => $this->getTrimmedInput('zip', $_POST),
902+
'firstName' => $this->getSanitisedInput('firstName', $_POST),
903+
'middleName' => $this->getSanitisedInput('middleName', $_POST),
904+
'lastName' => $this->getSanitisedInput('lastName', $_POST),
905+
'email1' => $this->getSanitisedInput('email1', $_POST),
906+
'email2' => $this->getSanitisedInput('email2', $_POST),
907+
'phoneHome' => $this->getSanitisedInput('phoneHome', $_POST),
908+
'phoneCell' => $this->getSanitisedInput('phoneCell', $_POST),
909+
'phoneWork' => $this->getSanitisedInput('phoneWork', $_POST),
910+
'address' => $this->getSanitisedInput('address', $_POST),
911+
'city' => $this->getSanitisedInput('city', $_POST),
912+
'state' => $this->getSanitisedInput('state', $_POST),
913+
'zip' => $this->getSanitisedInput('zip', $_POST),
914914
'source' => $this->getTrimmedInput('source', $_POST),
915-
'keySkills' => $this->getTrimmedInput('keySkills', $_POST),
916-
'currentEmployer' => $this->getTrimmedInput('currentEmployer', $_POST),
917-
'currentPay' => $this->getTrimmedInput('currentPay', $_POST),
918-
'desiredPay' => $this->getTrimmedInput('desiredPay', $_POST),
919-
'notes' => $this->getTrimmedInput('notes', $_POST),
920-
'canRelocate' => $this->getTrimmedInput('canRelocate', $_POST),
921-
'webSite' => $this->getTrimmedInput('webSite', $_POST),
922-
'bestTimeToCall' => $this->getTrimmedInput('bestTimeToCall', $_POST),
915+
'keySkills' => $this->getSanitisedInput('keySkills', $_POST),
916+
'currentEmployer' => $this->getSanitisedInput('currentEmployer', $_POST),
917+
'currentPay' => $this->getSanitisedInput('currentPay', $_POST),
918+
'desiredPay' => $this->getSanitisedInput('desiredPay', $_POST),
919+
'notes' => $this->getSanitisedInput('notes', $_POST),
920+
'canRelocate' => $this->getSanitisedInput('canRelocate', $_POST),
921+
'webSite' => $this->getSanitisedInput('webSite', $_POST),
922+
'bestTimeToCall' => $this->getSanitisedInput('bestTimeToCall', $_POST),
923923
'gender' => $this->getTrimmedInput('gender', $_POST),
924924
'race' => $this->getTrimmedInput('race', $_POST),
925925
'veteran' => $this->getTrimmedInput('veteran', $_POST),
@@ -1205,39 +1205,39 @@ private function onEdit()
12051205
}
12061206

12071207
$formattedPhoneHome = StringUtility::extractPhoneNumber(
1208-
$this->getTrimmedInput('phoneHome', $_POST)
1208+
$this->getSanitisedInput('phoneHome', $_POST)
12091209
);
12101210
if (!empty($formattedPhoneHome))
12111211
{
12121212
$phoneHome = $formattedPhoneHome;
12131213
}
12141214
else
12151215
{
1216-
$phoneHome = $this->getTrimmedInput('phoneHome', $_POST);
1216+
$phoneHome = $this->getSanitisedInput('phoneHome', $_POST);
12171217
}
12181218

12191219
$formattedPhoneCell = StringUtility::extractPhoneNumber(
1220-
$this->getTrimmedInput('phoneCell', $_POST)
1220+
$this->getSanitisedInput('phoneCell', $_POST)
12211221
);
12221222
if (!empty($formattedPhoneCell))
12231223
{
12241224
$phoneCell = $formattedPhoneCell;
12251225
}
12261226
else
12271227
{
1228-
$phoneCell = $this->getTrimmedInput('phoneCell', $_POST);
1228+
$phoneCell = $this->getSanitisedInput('phoneCell', $_POST);
12291229
}
12301230

12311231
$formattedPhoneWork = StringUtility::extractPhoneNumber(
1232-
$this->getTrimmedInput('phoneWork', $_POST)
1232+
$this->getSanitisedInput('phoneWork', $_POST)
12331233
);
12341234
if (!empty($formattedPhoneWork))
12351235
{
12361236
$phoneWork = $formattedPhoneWork;
12371237
}
12381238
else
12391239
{
1240-
$phoneWork = $this->getTrimmedInput('phoneWork', $_POST);
1240+
$phoneWork = $this->getSanitisedInput('phoneWork', $_POST);
12411241
}
12421242

12431243
$candidateID = $_POST['candidateID'];
@@ -1310,22 +1310,22 @@ private function onEdit()
13101310
}
13111311

13121312
$isActive = $this->isChecked('isActive', $_POST);
1313-
$firstName = $this->getTrimmedInput('firstName', $_POST);
1314-
$middleName = $this->getTrimmedInput('middleName', $_POST);
1315-
$lastName = $this->getTrimmedInput('lastName', $_POST);
1316-
$email1 = $this->getTrimmedInput('email1', $_POST);
1317-
$email2 = $this->getTrimmedInput('email2', $_POST);
1318-
$address = $this->getTrimmedInput('address', $_POST);
1319-
$city = $this->getTrimmedInput('city', $_POST);
1320-
$state = $this->getTrimmedInput('state', $_POST);
1321-
$zip = $this->getTrimmedInput('zip', $_POST);
1322-
$source = $this->getTrimmedInput('source', $_POST);
1323-
$keySkills = $this->getTrimmedInput('keySkills', $_POST);
1324-
$currentEmployer = $this->getTrimmedInput('currentEmployer', $_POST);
1325-
$currentPay = $this->getTrimmedInput('currentPay', $_POST);
1326-
$desiredPay = $this->getTrimmedInput('desiredPay', $_POST);
1327-
$notes = $this->getTrimmedInput('notes', $_POST);
1328-
$webSite = $this->getTrimmedInput('webSite', $_POST);
1313+
$firstName = $this->getSanitisedInput('firstName', $_POST);
1314+
$middleName = $this->getSanitisedInput('middleName', $_POST);
1315+
$lastName = $this->getSanitisedInput('lastName', $_POST);
1316+
$email1 = $this->getSanitisedInput('email1', $_POST);
1317+
$email2 = $this->getSanitisedInput('email2', $_POST);
1318+
$address = $this->getSanitisedInput('address', $_POST);
1319+
$city = $this->getSanitisedInput('city', $_POST);
1320+
$state = $this->getSanitisedInput('state', $_POST);
1321+
$zip = $this->getSanitisedInput('zip', $_POST);
1322+
$source = $this->getSanitisedInput('source', $_POST);
1323+
$keySkills = $this->getSanitisedInput('keySkills', $_POST);
1324+
$currentEmployer = $this->getSanitisedInput('currentEmployer', $_POST);
1325+
$currentPay = $this->getSanitisedInput('currentPay', $_POST);
1326+
$desiredPay = $this->getSanitisedInput('desiredPay', $_POST);
1327+
$notes = $this->getSanitisedInput('notes', $_POST);
1328+
$webSite = $this->getSanitisedInput('webSite', $_POST);
13291329
$bestTimeToCall = $this->getTrimmedInput('bestTimeToCall', $_POST);
13301330
$gender = $this->getTrimmedInput('gender', $_POST);
13311331
$race = $this->getTrimmedInput('race', $_POST);
@@ -3426,8 +3426,8 @@ private function findDuplicateCandidateSearch()
34263426
{
34273427
$duplicateCandidateID = $_POST['candidateID'];
34283428
}
3429-
$query = $this->getTrimmedInput('wildCardString', $_POST);
3430-
$mode = $this->getTrimmedInput('mode', $_POST);
3429+
$query = $this->getSanitisedInput('wildCardString', $_POST);
3430+
$mode = $this->getSanitisedInput('mode', $_POST);
34313431

34323432
/* Execute the search. */
34333433
$search = new SearchCandidates($this->_siteID);

modules/companies/CompaniesUI.php

Lines changed: 29 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -489,42 +489,42 @@ private function add()
489489
private function onAdd()
490490
{
491491
$formattedPhone1 = StringUtility::extractPhoneNumber(
492-
$this->getTrimmedInput('phone1', $_POST)
492+
$this->getSanitisedInput('phone1', $_POST)
493493
);
494494
if (!empty($formattedPhone1))
495495
{
496496
$phone1 = $formattedPhone1;
497497
}
498498
else
499499
{
500-
$phone1 = $this->getTrimmedInput('phone1', $_POST);
500+
$phone1 = $this->getSanitisedInput('phone1', $_POST);
501501
}
502502

503503
$formattedPhone2 = StringUtility::extractPhoneNumber(
504-
$this->getTrimmedInput('phone2', $_POST)
504+
$this->getSanitisedInput('phone2', $_POST)
505505
);
506506
if (!empty($formattedPhone2))
507507
{
508508
$phone2 = $formattedPhone2;
509509
}
510510
else
511511
{
512-
$phone2 = $this->getTrimmedInput('phone2', $_POST);
512+
$phone2 = $this->getSanitisedInput('phone2', $_POST);
513513
}
514514

515515
$formattedFaxNumber = StringUtility::extractPhoneNumber(
516-
$this->getTrimmedInput('faxNumber', $_POST)
516+
$this->getSanitisedInput('faxNumber', $_POST)
517517
);
518518
if (!empty($formattedFaxNumber))
519519
{
520520
$faxNumber = $formattedFaxNumber;
521521
}
522522
else
523523
{
524-
$faxNumber = $this->getTrimmedInput('faxNumber', $_POST);
524+
$faxNumber = $this->getSanitisedInput('faxNumber', $_POST);
525525
}
526526

527-
$url = $this->getTrimmedInput('url', $_POST);
527+
$url = $this->getSanitisedInput('url', $_POST);
528528
if (!empty($url))
529529
{
530530
$formattedURL = StringUtility::extractURL($url);
@@ -538,13 +538,13 @@ private function onAdd()
538538
/* Hot company? */
539539
$isHot = $this->isChecked('isHot', $_POST);
540540

541-
$name = $this->getTrimmedInput('name', $_POST);
542-
$address = $this->getTrimmedInput('address', $_POST);
543-
$city = $this->getTrimmedInput('city', $_POST);
544-
$state = $this->getTrimmedInput('state', $_POST);
545-
$zip = $this->getTrimmedInput('zip', $_POST);
546-
$keyTechnologies = $this->getTrimmedInput('keyTechnologies', $_POST);
547-
$notes = $this->getTrimmedInput('notes', $_POST);
541+
$name = $this->getSanitisedInput('name', $_POST);
542+
$address = $this->getSanitisedInput('address', $_POST);
543+
$city = $this->getSanitisedInput('city', $_POST);
544+
$state = $this->getSanitisedInput('state', $_POST);
545+
$zip = $this->getSanitisedInput('zip', $_POST);
546+
$keyTechnologies = $this->getSanitisedInput('keyTechnologies', $_POST);
547+
$notes = $this->getSanitisedInput('notes', $_POST);
548548

549549
/* Departments list editor. */
550550
$departmentsCSV = $this->getTrimmedInput('departmentsCSV', $_POST);
@@ -697,42 +697,42 @@ private function onEdit()
697697
}
698698

699699
$formattedPhone1 = StringUtility::extractPhoneNumber(
700-
$this->getTrimmedInput('phone1', $_POST)
700+
$this->getSanitisedInput('phone1', $_POST)
701701
);
702702
if (!empty($formattedPhone1))
703703
{
704704
$phone1 = $formattedPhone1;
705705
}
706706
else
707707
{
708-
$phone1 = $this->getTrimmedInput('phone1', $_POST);
708+
$phone1 = $this->getSanitisedInput('phone1', $_POST);
709709
}
710710

711711
$formattedPhone2 = StringUtility::extractPhoneNumber(
712-
$this->getTrimmedInput('phone2', $_POST)
712+
$this->getSanitisedInput('phone2', $_POST)
713713
);
714714
if (!empty($formattedPhone2))
715715
{
716716
$phone2 = $formattedPhone2;
717717
}
718718
else
719719
{
720-
$phone2 = $this->getTrimmedInput('phone2', $_POST);
720+
$phone2 = $this->getSanitisedInput('phone2', $_POST);
721721
}
722722

723723
$formattedFaxNumber = StringUtility::extractPhoneNumber(
724-
$this->getTrimmedInput('faxNumber', $_POST)
724+
$this->getSanitisedInput('faxNumber', $_POST)
725725
);
726726
if (!empty($formattedFaxNumber))
727727
{
728728
$faxNumber = $formattedFaxNumber;
729729
}
730730
else
731731
{
732-
$faxNumber = $this->getTrimmedInput('faxNumber', $_POST);
732+
$faxNumber = $this->getSanitisedInput('faxNumber', $_POST);
733733
}
734734

735-
$url = $this->getTrimmedInput('url', $_POST);
735+
$url = $this->getSanitisedInput('url', $_POST);
736736
if (!empty($url))
737737
{
738738
$formattedURL = StringUtility::extractURL($url);
@@ -809,13 +809,13 @@ private function onEdit()
809809
$emailAddress = '';
810810
}
811811

812-
$name = $this->getTrimmedInput('name', $_POST);
813-
$address = $this->getTrimmedInput('address', $_POST);
814-
$city = $this->getTrimmedInput('city', $_POST);
815-
$state = $this->getTrimmedInput('state', $_POST);
816-
$zip = $this->getTrimmedInput('zip', $_POST);
817-
$keyTechnologies = $this->getTrimmedInput('keyTechnologies', $_POST);
818-
$notes = $this->getTrimmedInput('notes', $_POST);
812+
$name = $this->getSanitisedInput('name', $_POST);
813+
$address = $this->getSanitisedInput('address', $_POST);
814+
$city = $this->getSanitisedInput('city', $_POST);
815+
$state = $this->getSanitisedInput('state', $_POST);
816+
$zip = $this->getSanitisedInput('zip', $_POST);
817+
$keyTechnologies = $this->getSanitisedInput('keyTechnologies', $_POST);
818+
$notes = $this->getSanitisedInput('notes', $_POST);
819819

820820
/* Departments list editor. */
821821
$departmentsCSV = $this->getTrimmedInput('departmentsCSV', $_POST);
@@ -986,7 +986,7 @@ private function onSearch()
986986
if (!eval(Hooks::get('CLIENTS_ON_SEARCH_PRE'))) return;
987987

988988
/* Get our current searching mode. */
989-
$mode = $this->getTrimmedInput('mode', $_GET);
989+
$mode = $this->getSanitisedInput('mode', $_GET);
990990

991991
/* Execute the search. */
992992
$search = new SearchCompanies($this->_siteID);

modules/companies/dataGrids.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* CATS
44
* Companies Datagrid
55
*
6-
* CATS Version: 0.9.6
6+
* CATS Version: 0.9.7.1
77
*
88
* Copyright (C) 2005 - 2007 Cognizo Technologies, Inc.
99
*

0 commit comments

Comments
 (0)