diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php index 6bbe480da..62823103d 100644 --- a/airtime_mvc/application/controllers/ApiController.php +++ b/airtime_mvc/application/controllers/ApiController.php @@ -261,7 +261,14 @@ class ApiController extends Zend_Controller_Action "currentShow"=>Application_Model_Show::getCurrentShow($utcTimeNow), "nextShow"=>Application_Model_Show::getNextShows($utcTimeNow, $limit, $utcTimeEnd) ); - + // XSS exploit prevention + foreach ($result["currentShow"] as &$current) { + $current["name"] = htmlspecialchars($current["name"]); + } + foreach ($result["nextShow"] as &$next) { + $next["name"] = htmlspecialchars($next["name"]); + } + Application_Model_Show::convertToLocalTimeZone($result["currentShow"], array("starts", "ends", "start_timestamp", "end_timestamp")); Application_Model_Show::convertToLocalTimeZone($result["nextShow"], @@ -269,6 +276,17 @@ class ApiController extends Zend_Controller_Action } else { $result = Application_Model_Schedule::GetPlayOrderRange(); + // XSS exploit prevention + $result["previous"]["name"] = htmlspecialchars($result["previous"]["name"]); + $result["current"]["name"] = htmlspecialchars($result["current"]["name"]); + $result["next"]["name"] = htmlspecialchars($result["next"]["name"]); + foreach ($result["currentShow"] as &$current) { + $current["name"] = htmlspecialchars($current["name"]); + } + foreach ($result["nextShow"] as &$next) { + $next["name"] = htmlspecialchars($next["name"]); + } + //Convert from UTC to localtime for Web Browser. Application_Model_Show::ConvertToLocalTimeZone($result["currentShow"], array("starts", "ends", "start_timestamp", "end_timestamp")); @@ -315,7 +333,15 @@ class ApiController extends Zend_Controller_Action $result[$dow[$i]] = $shows; } - + + // XSS exploit prevention + foreach ($dow as $d) { + foreach ($result[$d] as &$show) { + $show["name"] = htmlspecialchars($show["name"]); + $show["url"] = htmlspecialchars($show["url"]); + } + } + //used by caller to determine if the airtime they are running or widgets in use is out of date. $result['AIRTIME_API_VERSION'] = AIRTIME_API_VERSION; header("Content-type: text/javascript"); diff --git a/airtime_mvc/application/models/Block.php b/airtime_mvc/application/models/Block.php index 7053e658d..ffe15ac56 100644 --- a/airtime_mvc/application/models/Block.php +++ b/airtime_mvc/application/models/Block.php @@ -257,6 +257,10 @@ SQL; //format original length $formatter = new LengthFormatter($row['orig_length']); $row['orig_length'] = $formatter->format(); + + // XSS exploit prevention + $row["track_title"] = htmlspecialchars($row["track_title"]); + $row["creator"] = htmlspecialchars($row["creator"]); } return $rows; @@ -1241,7 +1245,7 @@ SQL; foreach ($out as $crit) { $criteria = $crit->getDbCriteria(); $modifier = $crit->getDbModifier(); - $value = $crit->getDbValue(); + $value = htmlspecialchars($crit->getDbValue()); $extra = $crit->getDbExtra(); if ($criteria == "limit") { diff --git a/airtime_mvc/application/models/Playlist.php b/airtime_mvc/application/models/Playlist.php index 1c446f182..6745eecc6 100644 --- a/airtime_mvc/application/models/Playlist.php +++ b/airtime_mvc/application/models/Playlist.php @@ -269,6 +269,10 @@ SQL; //format original length $formatter = new LengthFormatter($row['orig_length']); $row['orig_length'] = $formatter->format(); + + // XSS exploit prevention + $row["track_title"] = htmlspecialchars($row["track_title"]); + $row["creator"] = htmlspecialchars($row["creator"]); } return $rows; diff --git a/airtime_mvc/application/models/ShowBuilder.php b/airtime_mvc/application/models/ShowBuilder.php index 72a5f6ab0..fd85487db 100644 --- a/airtime_mvc/application/models/ShowBuilder.php +++ b/airtime_mvc/application/models/ShowBuilder.php @@ -275,9 +275,9 @@ class Application_Model_ShowBuilder $formatter = new LengthFormatter(Application_Common_DateHelper::ConvertMSToHHMMSSmm($run_time*1000)); $row['runtime'] = $formatter->format(); - $row["title"] = $p_item["file_track_title"]; - $row["creator"] = $p_item["file_artist_name"]; - $row["album"] = $p_item["file_album_title"]; + $row["title"] = htmlspecialchars($p_item["file_track_title"]); + $row["creator"] = htmlspecialchars($p_item["file_artist_name"]); + $row["album"] = htmlspecialchars($p_item["file_album_title"]); $row["cuein"] = $p_item["cue_in"]; $row["cueout"] = $p_item["cue_out"]; diff --git a/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml b/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml index 4b1a38839..0e0d9cbcb 100644 --- a/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml +++ b/airtime_mvc/application/views/scripts/library/get-file-metadata.ajax.phtml @@ -1,3 +1,9 @@ +md as $key => &$value) { + $value = $this->escape($value); +} +?> type == "audioclip") : ?> @@ -41,9 +47,18 @@ o
o + type == "playlist" || ($this->type == "block" && $this->blType == "Static")) {?> + contents as &$item) { + foreach ($item as $key => &$value) { + $value = $this->escape($value); + } + }*/ + ?> type == "playlist") { ?>
@@ -88,9 +103,13 @@ blType == "Dynamic") { ?>
md["MDATA_KEY_TITLE"]);?>
- contents["crit"] as $criterias) : ?> - + contents["crit"] as &$criterias) : ?> + $valMaxStrLen) { $crit["value"] = substr($crit["value"], 0, 24)."..."; diff --git a/airtime_mvc/application/views/scripts/playlist/smart-block.phtml b/airtime_mvc/application/views/scripts/playlist/smart-block.phtml index b1ca48da5..59ea2ce95 100644 --- a/airtime_mvc/application/views/scripts/playlist/smart-block.phtml +++ b/airtime_mvc/application/views/scripts/playlist/smart-block.phtml @@ -39,7 +39,7 @@ if (isset($this->obj)) { unsavedName)) echo $this->unsavedName; - else echo $this->obj->getName(); + else echo $this->escape($this->obj->getName()); ?> diff --git a/airtime_mvc/application/views/scripts/playlist/update.phtml b/airtime_mvc/application/views/scripts/playlist/update.phtml index a3a5b5b28..20ef17665 100644 --- a/airtime_mvc/application/views/scripts/playlist/update.phtml +++ b/airtime_mvc/application/views/scripts/playlist/update.phtml @@ -8,7 +8,6 @@ if ($item['type'] == 2) { $bl= new Application_Model_Block($item['item_id']); $staticBlock = $bl->isStatic(); } -$item["track_title"] = $this->escape($item["track_title"]); ?>
  • " unqid="">
    diff --git a/airtime_mvc/application/views/scripts/webstream/webstream.phtml b/airtime_mvc/application/views/scripts/webstream/webstream.phtml index 34131aabd..1c3657a75 100644 --- a/airtime_mvc/application/views/scripts/webstream/webstream.phtml +++ b/airtime_mvc/application/views/scripts/webstream/webstream.phtml @@ -29,7 +29,7 @@

    - obj->getName(); ?> + escape($this->obj->getName()); ?>

    obj->getDefaultLength(); ?>