diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt index e8eab84af..8254e931f 100644 --- a/docs/changelog/7.x.x.txt +++ b/docs/changelog/7.x.x.txt @@ -10,6 +10,9 @@ - fix: Cannot save new content filters. - fix: Cannot delete content filter. - fix: XSS Vulnerability in WebGUI usernames + - fix: XSS Vulnerability in WikiPage titles + - Depricated the random array function in WebGUI::Utility in favor of + List::Utils per the WebGUI Best Practices. - change: adapted WebGUI::Commerce::ShoppingCart to make it capable of handling dynamic item plugins. (Martin Kamerbeek / Oqapi) - fix: Using double quote in Project Manager task name breaks javascript diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm index 67e20ad40..520c3140b 100644 --- a/lib/WebGUI/Asset.pm +++ b/lib/WebGUI/Asset.pm @@ -27,6 +27,7 @@ use Tie::IxHash; use WebGUI::AdminConsole; use WebGUI::Cache; use WebGUI::Form; +use WebGUI::HTML; use WebGUI::HTMLForm; use WebGUI::TabForm; use WebGUI::Utility; @@ -224,7 +225,8 @@ sub definition { label=>$i18n->get(99), hoverHelp=>$i18n->get('99 description'), fieldType=>'text', - defaultValue=>undef + defaultValue=>'Untitled', + filter=>'fixTitle', }, menuTitle=>{ tab=>"properties", @@ -232,6 +234,7 @@ sub definition { hoverHelp=>$i18n->get('411 description'), uiLevel=>1, fieldType=>'text', + filter=>'fixTitle', defaultValue=>undef }, url=>{ @@ -380,7 +383,13 @@ Any text string. Most likely will have been the Asset's name or title. sub fixUrl { my $self = shift; - my $url = $self->session->url->urlize(shift); + my $url = shift; + unless ($url) { + $url = $self->getParent->get("url"); + $url =~ s/(.*)\..*/$1/; + $url .= '/'.$self->getValue("menuTitle"); + } + $url = $self->session->url->urlize($url); my @badUrls = ($self->session->config->get("extrasURL"), $self->session->config->get("uploadsURL")); foreach my $badUrl (@badUrls) { if ($badUrl =~ /^http/) { @@ -416,6 +425,24 @@ sub fixUrl { } +#------------------------------------------------------------------- + +=head2 fixTitle ( string ) + +Fixes a title by eliminating HTML from it. + +=head3 string + +Any text string. Most likely will have been the Asset's name or title. + +=cut + +sub fixTitle { + my $self = shift; + return WebGUI::HTML::filter(shift || $self->getValue("title") || 'Untitled', 'all'); +} + + #------------------------------------------------------------------- =head2 get ( [propertyName] ) @@ -1641,13 +1668,6 @@ sub processPropertiesFromFormPost { $self->updateMetaData($1,$self->session->form->process($form)); } } - $data{title} = "Untitled" unless ($data{title}); - $data{menuTitle} = $data{title} unless ($data{menuTitle}); - unless ($data{url}) { - $data{url} = $self->getParent->get("url"); - $data{url} =~ s/(.*)\..*/$1/; - $data{url} .= '/'.$data{menuTitle}; - } $self->session->db->beginTransaction; $self->update(\%data); $self->session->db->commit; diff --git a/lib/WebGUI/Asset/Post.pm b/lib/WebGUI/Asset/Post.pm index 5e6a8fd75..64a398077 100644 --- a/lib/WebGUI/Asset/Post.pm +++ b/lib/WebGUI/Asset/Post.pm @@ -777,7 +777,6 @@ sub postProcess { if ($self->getThread->getParent->get("addEditStampToPosts")) { $data{content} .= "

\n\n --- (".$i18n->get('Edited_on')." ".$self->session->datetime->epochToHuman(undef,"%z %Z [GMT%O]")." ".$i18n->get('By')." ".$user->profileField("alias").") --- \n

"; } - $data{title} = WebGUI::HTML::filter($self->get("title"), "all"); $data{url} = $self->fixUrl($self->getThread->get("url")."/1") if ($self->isReply && $self->isNew); $data{groupIdView} = $self->getThread->getParent->get("groupIdView"); $data{groupIdEdit} = $self->getThread->getParent->get("groupIdEdit"); diff --git a/lib/WebGUI/Asset/WikiPage.pm b/lib/WebGUI/Asset/WikiPage.pm index c50477003..44d742706 100644 --- a/lib/WebGUI/Asset/WikiPage.pm +++ b/lib/WebGUI/Asset/WikiPage.pm @@ -239,7 +239,6 @@ sub processPropertiesFromFormPost { isHidden => 1, actionTakenBy => $self->session->user->userId, actionTaken => $actionTaken, - title => WebGUI::HTML::filter($self->get("title"), "all"), }); if ($self->getWiki->canAdminister) { diff --git a/lib/WebGUI/Asset/Wobject/Poll.pm b/lib/WebGUI/Asset/Wobject/Poll.pm index 539e9f9a9..ff9162cf3 100644 --- a/lib/WebGUI/Asset/Wobject/Poll.pm +++ b/lib/WebGUI/Asset/Wobject/Poll.pm @@ -12,6 +12,7 @@ package WebGUI::Asset::Wobject::Poll; #------------------------------------------------------------------- use strict; +use List::Util; use WebGUI::Form; use WebGUI::International; use WebGUI::SQL; @@ -382,7 +383,7 @@ sub view { push(@labels, $self->get('a'.$i)); } } - randomizeArray(\@answers) if ($self->get("randomizeAnswers")); + @answers = List::Util::shuffle(@answers) if ($self->get("randomizeAnswers")); $var{answer_loop} = \@answers; if ($self->getValue('generateGraph')) { diff --git a/lib/WebGUI/Asset/Wobject/Survey.pm b/lib/WebGUI/Asset/Wobject/Survey.pm index a003a270f..2cb2b2e90 100644 --- a/lib/WebGUI/Asset/Wobject/Survey.pm +++ b/lib/WebGUI/Asset/Wobject/Survey.pm @@ -11,6 +11,7 @@ package WebGUI::Asset::Wobject::Survey; #------------------------------------------------------------------- use strict; +use List::Util; use Tie::CPHash; use WebGUI::HTMLForm; use WebGUI::International; @@ -454,7 +455,7 @@ sub getRandomQuestionIds { $where .= " and Survey_questionId not in (".$self->session->db->quoteAndJoin(\@usedQuestionIds).")"; } my @questions = $self->session->db->buildArray("select Survey_questionId from Survey_question".$where); - randomizeArray(\@questions); + @questions = List::Util::shuffle(@questions); return @questions; } diff --git a/lib/WebGUI/Utility.pm b/lib/WebGUI/Utility.pm index c90d44f5c..eb2f1c580 100644 --- a/lib/WebGUI/Utility.pm +++ b/lib/WebGUI/Utility.pm @@ -296,13 +296,9 @@ sub randint { #------------------------------------------------------------------- -=head2 randomizeArray ( array ) +=head2 randomizeArray ( ) -Resorts an array in random order. - -=head3 array - -A reference to the array to randomize. +Don't use this function, it is depricated and will be removed at some point in the future. Instead use List::Util::shuffle() =cut