Chapril/date.chapril.org-framadate
Chapril/date.chapril.org-framadate
25
1
Fork 0
Code Issues Pull Requests Releases Activity

Handle XSS issue on date poll slots

Browse Source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2018-07-09 10:56:09 +02:00
parent a1a7d180f8
commit be128e8158
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/inc/smarty.php
View File

@ -77,6 +77,10 @@ function smarty_modifier_html($html) {
return Utils::htmlEscape($html); return Utils::htmlEscape($html);
} }
function smarty_modifier_html_special_chars($html) {
return Utils::htmlMailEscape($html);
}
function smarty_modifier_datepicker_path($lang) { function smarty_modifier_datepicker_path($lang) {
$i = 0; $i = 0;
while (!is_file(path_for_datepicker_locale($lang)) && $i < 3) { while (!is_file(path_for_datepicker_locale($lang)) && $i < 3) {

2
tpl/create_date_poll_step_2.tpl
View File

@ -70,7 +70,7 @@
<div class="col-sm-2"> <div class="col-sm-2">
<label for="d{$i}-h{$j}" class="sr-only control-label">{__('Generic', 'Time')} {$j+1}</label> <label for="d{$i}-h{$j}" class="sr-only control-label">{__('Generic', 'Time')} {$j+1}</label>
<input type="text" class="form-control hours" title="{$day_value} - {__('Generic', 'Time')} {$j+1}" <input type="text" class="form-control hours" title="{$day_value} - {__('Generic', 'Time')} {$j+1}"
placeholder="{__('Generic', 'Time')} {$j+1}" id="d{$i}-h{$j}" name="horaires{$i}[]" value="{$slot}"/> placeholder="{__('Generic', 'Time')} {$j+1}" id="d{$i}-h{$j}" name="horaires{$i}[]" value="{$slot|html_special_chars}"/>
</div> </div>
{/foreach} {/foreach}