AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-01 03:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add stronger input validation/output escaping for theme, tags and categories vars

Browse Source
This commit is contained in:
Marcus Hill
2023-03-05 19:13:48 +00:00
parent 5640a22c18
commit feb0267002
8 changed files with 42 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
client_side_nav.php
View File

@@ -1,5 +1,5 @@
<!-- Main Sidebar Container --> <!-- Main Sidebar Container -->
<aside class="main-sidebar sidebar-dark-<?php echo $config_theme; ?> d-print-none"> <aside class="main-sidebar sidebar-dark-<?php echo htmlentities($config_theme); ?> d-print-none">
<!-- Sidebar --> <!-- Sidebar -->
<div class="sidebar"> <div class="sidebar">

2
header.php
View File

@@ -36,5 +36,5 @@ header("X-Frame-Options: DENY");
<script src="plugins/toastr/toastr.min.js"></script> <script src="plugins/toastr/toastr.min.js"></script>
</head> </head>
<body class="hold-transition sidebar-mini layout-fixed accent-<?php echo $config_theme; ?>"> <body class="hold-transition sidebar-mini layout-fixed accent-<?php echo htmlentities($config_theme); ?>">
<div class="wrapper text-sm"> <div class="wrapper text-sm">

2
models/category.php
View File

@@ -1,4 +1,4 @@
<?php <?php
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = sanitizeInput($_POST['type']); $type = sanitizeInput($_POST['type']);
$color = sanitizeInput($_POST['color']); $color = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['color']));

4
models/tag.php
View File

@@ -1,5 +1,5 @@
<?php <?php
$name = sanitizeInput($_POST['name']); $name = sanitizeInput($_POST['name']);
$type = intval($_POST['type']); $type = intval($_POST['type']);
$color = sanitizeInput($_POST['color']); $color = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['color']));
$icon = sanitizeInput($_POST['icon']); $icon = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['icon']));

2
post.php
View File

@@ -870,7 +870,7 @@ if(isset($_POST['edit_theme_settings'])){
validateAdminRole(); validateAdminRole();
$theme = sanitizeInput($_POST['theme']); $theme = preg_replace("/[^0-9a-zA-Z_]/", "", sanitizeInput($_POST['theme']));
mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme' WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_theme = '$theme' WHERE company_id = $session_company_id");

2
settings_side_nav.php
View File

@@ -1,5 +1,5 @@
<!-- Main Sidebar Container --> <!-- Main Sidebar Container -->
<aside class="main-sidebar sidebar-dark-<?php echo $config_theme; ?> d-print-none"> <aside class="main-sidebar sidebar-dark-<?php echo htmlentities($config_theme); ?> d-print-none">
<!-- Sidebar --> <!-- Sidebar -->
<div class="sidebar"> <div class="sidebar">

2
side_nav.php
View File

@@ -1,5 +1,5 @@
<!-- Main Sidebar Container --> <!-- Main Sidebar Container -->
<aside class="main-sidebar sidebar-dark-<?php echo $config_theme; ?> d-print-none"> <aside class="main-sidebar sidebar-dark-<?php echo htmlentities($config_theme); ?> d-print-none">
<!-- Sidebar --> <!-- Sidebar -->
<div class="sidebar"> <div class="sidebar">

2
top_nav.php
View File

@@ -1,5 +1,5 @@
<!-- Navbar --> <!-- Navbar -->
<nav class="main-header navbar navbar-expand navbar-<?php echo $config_theme; ?> navbar-dark"> <nav class="main-header navbar navbar-expand navbar-<?php echo htmlentities($config_theme); ?> navbar-dark">
<!-- Left navbar links --> <!-- Left navbar links -->
<ul class="navbar-nav"> <ul class="navbar-nav">