bugfix: avoid XSS in customer address selector and some ticket forms …

…(LMS #1910)
chilek · Jan 17, 2021 · 9a32448 · 9a32448
1 parent 026e394
commit 9a32448
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 21 deletions.
diff --git a/js/lms-ui-iconselectmenu.js b/js/lms-ui-iconselectmenu.js
@@ -28,7 +28,7 @@ $.widget( "custom.iconselectmenu", $.ui.selectmenu, {
             '>');
 	    var wrapper = '<div>' + (item.element.attr("data-icon") ? '<i class="' +
             (item.element.attr("data-class") ? item.element.attr("data-class") : '') +
-            ' ' + item.element.attr("data-icon") + '"></i>' : '') + item.label + '</div>';
+            ' ' + item.element.attr("data-icon") + '"></i>' : '') + escapeHtml(item.label) + '</div>';
 
         return li.append(wrapper).appendTo(ul);
     },

diff --git a/templates/default/customer/customeraddresses.html b/templates/default/customer/customeraddresses.html
@@ -20,7 +20,8 @@
             {/if}
             <option value="{$address_id}" data-territ="{if empty($address.teryt)}0{else}1{/if}" data-icon="{$icon}"
                     {if (isset($selected_address_id) && $selected_address_id == $address_id)
-                        || (!isset($selected_address_id) && (!isset($preselection) || $preselection) && isset($address.default_address))} selected{/if}>{$address.location}</option>
+                        || (!isset($selected_address_id) && (!isset($preselection) || $preselection) && isset($address.default_address))} selected{/if}
+                >{$address.location|escape}</option>
         {/foreach}
     {/if}
 </select>
diff --git a/templates/default/rt/rtmessageadd.html b/templates/default/rt/rtmessageadd.html
@@ -55,7 +55,7 @@ <H1>{$layout.pagetitle}</H1>
 <INPUT type="hidden" name="message[customerid]" value ="{$message.customerid}">
 {box_container id="message"}
 	{box_header icon="img/mail.gif" label="Subject:"}
-		<INPUT type="text" size="75" name="message[subject]" maxlength="255" value="{$message.subject}" {tip text="Enter message subject" trigger="subject"}>
+		<INPUT type="text" size="75" name="message[subject]" maxlength="255" value="{$message.subject|escape}" {tip text="Enter message subject" trigger="subject"}>
 	{/box_header}
 
 	{box_contents}

diff --git a/templates/default/rt/rtticketinfobox.html b/templates/default/rt/rtticketinfobox.html
@@ -118,7 +118,7 @@
 									<i class="lms-ui-icon-content lms-ui-icon-user"></i>{trans("Created by:")}
 								</TD>
 								<TD style="width: 99%;">
-									<A href="?m=userinfo&amp;id={$ticket.creatorid}">{$ticket.creator}</a>
+									<A href="?m=userinfo&amp;id={$ticket.creatorid}">{$ticket.creator|escape}</a>
 								</TD>
 							</TR>
 							{/if}
@@ -258,7 +258,7 @@
 									<i class="lms-ui-icon-content lms-ui-icon-location"></i>{trans("Location:")}
 								</TD>
 								<TD>
-									{$ticket.location}
+									{$ticket.location|escape}
 								</TD>
 							</TR>
 							{/if}
@@ -280,7 +280,7 @@
 									<i class="lms-ui-icon-content lms-ui-icon-netnode"></i>{trans("Network Device Node:")}
 								</TD>
 								<TD>
-									<A href="?m=netnodeinfo&id={$ticket.netnodeid}">{$ticket.netnode_name}</A>
+									<A href="?m=netnodeinfo&id={$ticket.netnodeid}">{$ticket.netnode_name|escape}</A>
 								</TD>
 							</TR>
 							{/if}
@@ -290,7 +290,7 @@
 									<i class="lms-ui-icon-content lms-ui-icon-netdev"></i>{trans("Device:")}
 								</TD>
 								<TD>
-									<A href="?m=netdevinfo&id={$ticket.netdevid}">{$ticket.netdev_name}</A>
+									<A href="?m=netdevinfo&id={$ticket.netdevid}">{$ticket.netdev_name|escape}</A>
 								</TD>
 							</TR>
 							{/if}
@@ -300,7 +300,7 @@
 									{icon name="invproject" label="Investment project:"}
 								</TD>
 								<TD>
-									{$ticket.invproject_name}</A>
+									{$ticket.invproject_name|escape}</A>
 								</TD>
 							</TR>
 							{/if}
@@ -310,30 +310,32 @@
 									{icon name="parentticket" label="Parent ticket:"}
 								</TD>
 								<TD>
-									#{$ticket.parent.id|string_format:"%06d"} <a href="?m=rtticketview&id={$ticket.parent.id}">{$ticket.parent.name}</a><br>
+									#{$ticket.parent.id|string_format:"%06d"} <a href="?m=rtticketview&id={$ticket.parent.id}">{$ticket.parent.name|escape}</a><br>
 								</TD>
 							</TR>
 							{/if}
 							{if $ticket.childtickets}
-                                                        <TR>
-                                                                <TD class="bold">
-                                                                        {icon name="childticket" label="Child tickets:"}
-                                                                </TD>
-								<TD>
-								{foreach $ticket.childtickets as $t}
-                                                                        #{$t.id|string_format:"%06d"} <a href="?m=rtticketview&id={$t.id}">{$t.subject}</a><br>
-								{/foreach}
-                                                                </TD>
-                                                        </TR>
-                                                        {/if}
+								<TR>
+									<TD class="bold">
+										{icon name="childticket" label="Child tickets:"}
+									</TD>
+									<TD>
+										{foreach $ticket.childtickets as $t}
+											#{$t.id|string_format:"%06d"}
+											<a href="?m=rtticketview&id={$t.id}">{$t.subject|escape}</a>
+											<br>
+										{/foreach}
+									</TD>
+								</TR>
+							{/if}
 							{if $ticket.relatedtickets}
 							<TR>
 								<TD class="bold nobr">
 									{icon name="relatedticket" label="Related tickets:"}
 								</TD>
 								<TD>
 									{foreach $ticket.relatedtickets as $i}
-										#{$i.id|string_format:"%06d"} <a href="?m=rtticketview&id={$i.id}">{$i.name}</a><br>
+										#{$i.id|string_format:"%06d"} <a href="?m=rtticketview&id={$i.id}">{$i.name|escape}</a><br>
 									{/foreach}
 								</TD>
 							</TR>