XSS exploit prevention

- Calendar - Show Contents
- Playlist tooltip in Library page
- Adding track to a show
- Widgets
- Playlist/Webstream title and description
- Smart block expansion
This commit is contained in:
denise 2013-02-05 10:56:38 -05:00
parent b45f71e8f9
commit 74bc485b4b
8 changed files with 63 additions and 11 deletions

View File

@ -261,7 +261,14 @@ class ApiController extends Zend_Controller_Action
"currentShow"=>Application_Model_Show::getCurrentShow($utcTimeNow),
"nextShow"=>Application_Model_Show::getNextShows($utcTimeNow, $limit, $utcTimeEnd)
);
// XSS exploit prevention
foreach ($result["currentShow"] as &$current) {
$current["name"] = htmlspecialchars($current["name"]);
}
foreach ($result["nextShow"] as &$next) {
$next["name"] = htmlspecialchars($next["name"]);
}
Application_Model_Show::convertToLocalTimeZone($result["currentShow"],
array("starts", "ends", "start_timestamp", "end_timestamp"));
Application_Model_Show::convertToLocalTimeZone($result["nextShow"],
@ -269,6 +276,17 @@ class ApiController extends Zend_Controller_Action
} else {
$result = Application_Model_Schedule::GetPlayOrderRange();
// XSS exploit prevention
$result["previous"]["name"] = htmlspecialchars($result["previous"]["name"]);
$result["current"]["name"] = htmlspecialchars($result["current"]["name"]);
$result["next"]["name"] = htmlspecialchars($result["next"]["name"]);
foreach ($result["currentShow"] as &$current) {
$current["name"] = htmlspecialchars($current["name"]);
}
foreach ($result["nextShow"] as &$next) {
$next["name"] = htmlspecialchars($next["name"]);
}
//Convert from UTC to localtime for Web Browser.
Application_Model_Show::ConvertToLocalTimeZone($result["currentShow"],
array("starts", "ends", "start_timestamp", "end_timestamp"));
@ -315,7 +333,15 @@ class ApiController extends Zend_Controller_Action
$result[$dow[$i]] = $shows;
}
// XSS exploit prevention
foreach ($dow as $d) {
foreach ($result[$d] as &$show) {
$show["name"] = htmlspecialchars($show["name"]);
$show["url"] = htmlspecialchars($show["url"]);
}
}
//used by caller to determine if the airtime they are running or widgets in use is out of date.
$result['AIRTIME_API_VERSION'] = AIRTIME_API_VERSION;
header("Content-type: text/javascript");

View File

@ -257,6 +257,10 @@ SQL;
//format original length
$formatter = new LengthFormatter($row['orig_length']);
$row['orig_length'] = $formatter->format();
// XSS exploit prevention
$row["track_title"] = htmlspecialchars($row["track_title"]);
$row["creator"] = htmlspecialchars($row["creator"]);
}
return $rows;
@ -1241,7 +1245,7 @@ SQL;
foreach ($out as $crit) {
$criteria = $crit->getDbCriteria();
$modifier = $crit->getDbModifier();
$value = $crit->getDbValue();
$value = htmlspecialchars($crit->getDbValue());
$extra = $crit->getDbExtra();
if ($criteria == "limit") {

View File

@ -269,6 +269,10 @@ SQL;
//format original length
$formatter = new LengthFormatter($row['orig_length']);
$row['orig_length'] = $formatter->format();
// XSS exploit prevention
$row["track_title"] = htmlspecialchars($row["track_title"]);
$row["creator"] = htmlspecialchars($row["creator"]);
}
return $rows;

View File

@ -275,9 +275,9 @@ class Application_Model_ShowBuilder
$formatter = new LengthFormatter(Application_Common_DateHelper::ConvertMSToHHMMSSmm($run_time*1000));
$row['runtime'] = $formatter->format();
$row["title"] = $p_item["file_track_title"];
$row["creator"] = $p_item["file_artist_name"];
$row["album"] = $p_item["file_album_title"];
$row["title"] = htmlspecialchars($p_item["file_track_title"]);
$row["creator"] = htmlspecialchars($p_item["file_artist_name"]);
$row["album"] = htmlspecialchars($p_item["file_album_title"]);
$row["cuein"] = $p_item["cue_in"];
$row["cueout"] = $p_item["cue_out"];

View File

@ -1,3 +1,9 @@
<?php
//XSS exploit prevention
foreach ($this->md as $key => &$value) {
$value = $this->escape($value);
}
?>
<?php if($this->type == "audioclip") : ?>
<table class='library-track-md'>
<tr><td><? echo _("Title:"); ?></td><td><?php echo ($this->md["MDATA_KEY_TITLE"]);?></td></tr>
@ -41,9 +47,18 @@
<span class='static'>o</span> <span><? echo _("Static Smart Block"); ?></span><br />
<span>o</span> <span><? echo _("Audio Track"); ?></span>
</div>
<?php } ?>
<?php if ($this->type == "playlist" || ($this->type == "block" && $this->blType == "Static")) {?>
<?php
//XSS exploit prevention
/*foreach ($this->contents as &$item) {
foreach ($item as $key => &$value) {
$value = $this->escape($value);
}
}*/
?>
<?php if ($this->type == "playlist") { ?>
<div class='file-md-qtip-left'><span><? echo _("Playlist Contents: "); ?></span></div>
<?php } else { ?>
@ -88,9 +103,13 @@
<?php } elseif ($this->blType == "Dynamic") { ?>
<div class='file-md-qtip-left'><span><? echo _("Dynamic Smart Block Criteria: "); ?></span></div>
<table class='library-get-file-md table-small'>
<?php foreach ($this->contents["crit"] as $criterias) : ?>
<?php foreach ($criterias as $crit ) : ?>
<?php foreach ($this->contents["crit"] as &$criterias) : ?>
<?php foreach ($criterias as &$crit ) : ?>
<?php
// XSS exploit prevention
//$crit["value"] = htmlspecialchars($crit["value"]);
//$crit["extra"] = htmlspecialchars($crit["extra"]);
$valMaxStrLen = 25;
if (strlen($crit["value"]) > $valMaxStrLen) {
$crit["value"] = substr($crit["value"], 0, 24)."...";

View File

@ -39,7 +39,7 @@ if (isset($this->obj)) {
<a id="playlist_name_display" contenteditable="true">
<?php
if (isset($this->unsavedName)) echo $this->unsavedName;
else echo $this->obj->getName();
else echo $this->escape($this->obj->getName());
?>
</a>
</h3>

View File

@ -8,7 +8,6 @@ if ($item['type'] == 2) {
$bl= new Application_Model_Block($item['item_id']);
$staticBlock = $bl->isStatic();
}
$item["track_title"] = $this->escape($item["track_title"]);
?>
<li class="ui-state-default" id="spl_<?php echo $item["id"] ?>" unqid="<?php echo $item["id"]; ?>">
<div class="list-item-container">

View File

@ -29,7 +29,7 @@
<div class="playlist_title">
<div id="name-error" class="errors" style="display:none;"></div>
<h3 id="ws_name">
<a id="playlist_name_display" contenteditable="true"><?php echo $this->obj->getName(); ?></a>
<a id="playlist_name_display" contenteditable="true"><?php echo $this->escape($this->obj->getName()); ?></a>
</h3>
<h4 id="ws_length"><?php echo $this->obj->getDefaultLength(); ?></h4>
</div>