Congegni/sintonia
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

XSS exploit prevention

Browse source 
- Calendar - Show Contents
- Playlist tooltip in Library page
- Adding track to a show
- Widgets
- Playlist/Webstream title and description
- Smart block expansion
This commit is contained in:
denise 2013-02-05 10:56:38 -05:00
parent b45f71e8f9
commit 74bc485b4b
8 changed files with 63 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

30
airtime_mvc/application/controllers/ApiController.php
View file

@ -261,7 +261,14 @@ class ApiController extends Zend_Controller_Action
"currentShow"=>Application_Model_Show::getCurrentShow($utcTimeNow),
"nextShow"=>Application_Model_Show::getNextShows($utcTimeNow, $limit, $utcTimeEnd)
);
// XSS exploit prevention
foreach ($result["currentShow"] as &$current) {
$current["name"] = htmlspecialchars($current["name"]);
}
foreach ($result["nextShow"] as &$next) {
$next["name"] = htmlspecialchars($next["name"]);
}
Application_Model_Show::convertToLocalTimeZone($result["currentShow"],
array("starts", "ends", "start_timestamp", "end_timestamp"));
Application_Model_Show::convertToLocalTimeZone($result["nextShow"],
@ -269,6 +276,17 @@ class ApiController extends Zend_Controller_Action
} else {
$result = Application_Model_Schedule::GetPlayOrderRange();
// XSS exploit prevention
$result["previous"]["name"] = htmlspecialchars($result["previous"]["name"]);
$result["current"]["name"] = htmlspecialchars($result["current"]["name"]);
$result["next"]["name"] = htmlspecialchars($result["next"]["name"]);
foreach ($result["currentShow"] as &$current) {
$current["name"] = htmlspecialchars($current["name"]);
}
foreach ($result["nextShow"] as &$next) {
$next["name"] = htmlspecialchars($next["name"]);
}
//Convert from UTC to localtime for Web Browser.
Application_Model_Show::ConvertToLocalTimeZone($result["currentShow"],
array("starts", "ends", "start_timestamp", "end_timestamp"));
@ -315,7 +333,15 @@ class ApiController extends Zend_Controller_Action
$result[$dow[$i]] = $shows;
}
// XSS exploit prevention
foreach ($dow as $d) {
foreach ($result[$d] as &$show) {
$show["name"] = htmlspecialchars($show["name"]);
$show["url"] = htmlspecialchars($show["url"]);
}
}
//used by caller to determine if the airtime they are running or widgets in use is out of date.
$result['AIRTIME_API_VERSION'] = AIRTIME_API_VERSION;
header("Content-type: text/javascript");