- fix: XSS Vulnerability in WikiPage titles

- Depricated the random array function in WebGUI::Utility in favor of 
   List::Utils per the WebGUI Best Practices.

docs/changelog/7.x.x.txt

@@ -10,6 +10,9 @@
  - fix: Cannot save new content filters.
  - fix: Cannot delete content filter.
  - fix: XSS Vulnerability in WebGUI usernames
+ - fix: XSS Vulnerability in WikiPage titles
+ - Depricated the random array function in WebGUI::Utility in favor of
+   List::Utils per the WebGUI Best Practices.
  - change: adapted WebGUI::Commerce::ShoppingCart to make it capable of 
         handling dynamic item plugins. (Martin Kamerbeek / Oqapi)
  - fix: Using double quote in Project Manager task name breaks javascript

lib/WebGUI/Asset.pm

@@ -27,6 +27,7 @@ use Tie::IxHash;
 use WebGUI::AdminConsole;
 use WebGUI::Cache;
 use WebGUI::Form;
+use WebGUI::HTML;
 use WebGUI::HTMLForm;
 use WebGUI::TabForm;
 use WebGUI::Utility;
@@ -224,7 +225,8 @@ sub definition {
 					label=>$i18n->get(99),
 					hoverHelp=>$i18n->get('99 description'),
                                         fieldType=>'text',
-                                        defaultValue=>undef
+                                        defaultValue=>'Untitled',
+					filter=>'fixTitle',
                                         },
                                 menuTitle=>{
 					tab=>"properties",
@@ -232,6 +234,7 @@ sub definition {
 					hoverHelp=>$i18n->get('411 description'),
 					uiLevel=>1,
                                         fieldType=>'text',
+					filter=>'fixTitle',
                                         defaultValue=>undef
                                         },
                                 url=>{
@@ -380,7 +383,13 @@ Any text string. Most likely will have been the Asset's name or title.
 
 sub fixUrl {
 	my $self = shift;
-	my $url = $self->session->url->urlize(shift);
+	my $url = shift;
+	unless ($url) {
+		$url = $self->getParent->get("url");
+		$url =~ s/(.*)\..*/$1/;
+		$url .= '/'.$self->getValue("menuTitle");
+	}
+	$url = $self->session->url->urlize($url);
 	my @badUrls = ($self->session->config->get("extrasURL"), $self->session->config->get("uploadsURL"));
 	foreach my $badUrl (@badUrls) {
 		if ($badUrl =~ /^http/) {
@@ -416,6 +425,24 @@ sub fixUrl {
 }
 
 
+#-------------------------------------------------------------------
+
+=head2 fixTitle ( string )
+
+Fixes a title by eliminating HTML from it.
+
+=head3 string
+
+Any text string. Most likely will have been the Asset's name or title.
+
+=cut
+
+sub fixTitle {
+	my $self = shift;
+	return WebGUI::HTML::filter(shift || $self->getValue("title") || 'Untitled', 'all');
+}
+
+
 #-------------------------------------------------------------------
 
 =head2 get ( [propertyName] )
@@ -1641,13 +1668,6 @@ sub processPropertiesFromFormPost {
 			$self->updateMetaData($1,$self->session->form->process($form));
 		}
 	}
-	$data{title} = "Untitled" unless ($data{title});
-	$data{menuTitle} = $data{title} unless ($data{menuTitle});
-	unless ($data{url}) {
-		$data{url} = $self->getParent->get("url");
-		$data{url} =~ s/(.*)\..*/$1/;
-		$data{url} .= '/'.$data{menuTitle};
-	}
 	$self->session->db->beginTransaction;
 	$self->update(\%data);
 	$self->session->db->commit;

lib/WebGUI/Asset/Post.pm

@@ -777,7 +777,6 @@ sub postProcess {
 	if ($self->getThread->getParent->get("addEditStampToPosts")) {
 		$data{content} .= "<p>\n\n --- (".$i18n->get('Edited_on')." ".$self->session->datetime->epochToHuman(undef,"%z %Z [GMT%O]")." ".$i18n->get('By')." ".$user->profileField("alias").") --- \n</p>";
 	}
-	$data{title} = WebGUI::HTML::filter($self->get("title"), "all");
 	$data{url} = $self->fixUrl($self->getThread->get("url")."/1") if ($self->isReply && $self->isNew);
 	$data{groupIdView} = $self->getThread->getParent->get("groupIdView");
 	$data{groupIdEdit} = $self->getThread->getParent->get("groupIdEdit");

lib/WebGUI/Asset/WikiPage.pm

@@ -239,7 +239,6 @@ sub processPropertiesFromFormPost {
 			 isHidden => 1,
 			actionTakenBy => $self->session->user->userId,
 			actionTaken => $actionTaken,
-			title => WebGUI::HTML::filter($self->get("title"), "all"),
 	});
 
 	if ($self->getWiki->canAdminister) {

lib/WebGUI/Asset/Wobject/Poll.pm

@@ -12,6 +12,7 @@ package WebGUI::Asset::Wobject::Poll;
 #-------------------------------------------------------------------
 
 use strict;
+use List::Util;
 use WebGUI::Form;
 use WebGUI::International;
 use WebGUI::SQL;
@@ -382,7 +383,7 @@ sub view {
 			push(@labels, $self->get('a'.$i));
                 }
 	}
-	randomizeArray(\@answers) if ($self->get("randomizeAnswers"));
+	@answers = List::Util::shuffle(@answers) if ($self->get("randomizeAnswers"));
 	$var{answer_loop} = \@answers;
 
 	if ($self->getValue('generateGraph')) {

lib/WebGUI/Asset/Wobject/Survey.pm

@@ -11,6 +11,7 @@ package WebGUI::Asset::Wobject::Survey;
 #-------------------------------------------------------------------
 
 use strict;
+use List::Util;
 use Tie::CPHash;
 use WebGUI::HTMLForm;
 use WebGUI::International;
@@ -454,7 +455,7 @@ sub getRandomQuestionIds {
 		$where .= " and Survey_questionId not in (".$self->session->db->quoteAndJoin(\@usedQuestionIds).")";
 	}
 	my @questions = $self->session->db->buildArray("select Survey_questionId from Survey_question".$where);
-	randomizeArray(\@questions);
+	@questions = List::Util::shuffle(@questions);
 	return @questions;
 }
 

lib/WebGUI/Utility.pm

@@ -296,13 +296,9 @@ sub randint {
 
 #-------------------------------------------------------------------
 
-=head2 randomizeArray ( array )
+=head2 randomizeArray (  )
 
-Resorts an array in random order.
-
-=head3 array
-
-A reference to the array to randomize.
+Don't use this function, it is depricated and will be removed at some point in the future. Instead use List::Util::shuffle()
 
 =cut