- fix: XSS Vulnerability in WikiPage titles
- Depricated the random array function in WebGUI::Utility in favor of List::Utils per the WebGUI Best Practices.
This commit is contained in:
JT Smith
parent
945be4a2de
commit
e42a744ed9
7 changed files with 38 additions and 19 deletions
|
|
@ -27,6 +27,7 @@ use Tie::IxHash;
|
|||
use WebGUI::AdminConsole;
|
||||
use WebGUI::Cache;
|
||||
use WebGUI::Form;
|
||||
use WebGUI::HTML;
|
||||
use WebGUI::HTMLForm;
|
||||
use WebGUI::TabForm;
|
||||
use WebGUI::Utility;
|
||||
|
|
@ -224,7 +225,8 @@ sub definition {
|
|||
label=>$i18n->get(99),
|
||||
hoverHelp=>$i18n->get('99 description'),
|
||||
fieldType=>'text',
|
||||
defaultValue=>undef
|
||||
defaultValue=>'Untitled',
|
||||
filter=>'fixTitle',
|
||||
},
|
||||
menuTitle=>{
|
||||
tab=>"properties",
|
||||
|
|
@ -232,6 +234,7 @@ sub definition {
|
|||
hoverHelp=>$i18n->get('411 description'),
|
||||
uiLevel=>1,
|
||||
fieldType=>'text',
|
||||
filter=>'fixTitle',
|
||||
defaultValue=>undef
|
||||
},
|
||||
url=>{
|
||||
|
|
@ -380,7 +383,13 @@ Any text string. Most likely will have been the Asset's name or title.
|
|||
|
||||
sub fixUrl {
|
||||
my $self = shift;
|
||||
my $url = $self->session->url->urlize(shift);
|
||||
my $url = shift;
|
||||
unless ($url) {
|
||||
$url = $self->getParent->get("url");
|
||||
$url =~ s/(.*)\..*/$1/;
|
||||
$url .= '/'.$self->getValue("menuTitle");
|
||||
}
|
||||
$url = $self->session->url->urlize($url);
|
||||
my @badUrls = ($self->session->config->get("extrasURL"), $self->session->config->get("uploadsURL"));
|
||||
foreach my $badUrl (@badUrls) {
|
||||
if ($badUrl =~ /^http/) {
|
||||
|
|
@ -416,6 +425,24 @@ sub fixUrl {
|
|||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 fixTitle ( string )
|
||||
|
||||
Fixes a title by eliminating HTML from it.
|
||||
|
||||
=head3 string
|
||||
|
||||
Any text string. Most likely will have been the Asset's name or title.
|
||||
|
||||
=cut
|
||||
|
||||
sub fixTitle {
|
||||
my $self = shift;
|
||||
return WebGUI::HTML::filter(shift || $self->getValue("title") || 'Untitled', 'all');
|
||||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 get ( [propertyName] )
|
||||
|
|
@ -1641,13 +1668,6 @@ sub processPropertiesFromFormPost {
|
|||
$self->updateMetaData($1,$self->session->form->process($form));
|
||||
}
|
||||
}
|
||||
$data{title} = "Untitled" unless ($data{title});
|
||||
$data{menuTitle} = $data{title} unless ($data{menuTitle});
|
||||
unless ($data{url}) {
|
||||
$data{url} = $self->getParent->get("url");
|
||||
$data{url} =~ s/(.*)\..*/$1/;
|
||||
$data{url} .= '/'.$data{menuTitle};
|
||||
}
|
||||
$self->session->db->beginTransaction;
|
||||
$self->update(\%data);
|
||||
$self->session->db->commit;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue