Fix XSS problem using LSdebug/LSerror/LSinfos

This commit is contained in:
Benjamin Renard 2018-06-08 17:41:28 +02:00
parent 98d8d73709
commit 06b37ea2f6
4 changed files with 11 additions and 10 deletions

View file

@ -132,7 +132,7 @@ class LSerror {
* @retvat string Le texte des erreurs * @retvat string Le texte des erreurs
*/ */
private static function getError($error) { private static function getError($error) {
return "(Code ".$error[0].") ".getFData(self :: $_errorCodes[$error[0]]['msg'],$error[1]); return "(Code ".htmlentities($error[0]).") ".htmlentities(getFData(self :: $_errorCodes[$error[0]]['msg'],$error[1]));
} }
/** /**

View file

@ -1424,12 +1424,7 @@ class LSsession {
// Infos // Infos
if((!empty($_SESSION['LSsession_infos']))&&(is_array($_SESSION['LSsession_infos']))) { if((!empty($_SESSION['LSsession_infos']))&&(is_array($_SESSION['LSsession_infos']))) {
$txt_infos="<ul>\n"; LStemplate :: assign('LSinfos',$_SESSION['LSsession_infos']);
foreach($_SESSION['LSsession_infos'] as $info) {
$txt_infos.="<li>$info</li>\n";
}
$txt_infos.="</ul>\n";
LStemplate :: assign('LSinfos',$txt_infos);
$_SESSION['LSsession_infos']=array(); $_SESSION['LSsession_infos']=array();
} }

View file

@ -257,10 +257,10 @@ function LSdebug_print($return=false,$ul=true) {
if ($ul) $txt='<ul>'; else $txt=""; if ($ul) $txt='<ul>'; else $txt="";
foreach($GLOBALS['LSdebug_fields'] as $debug) { foreach($GLOBALS['LSdebug_fields'] as $debug) {
if (is_array($debug)||is_object($debug)) { if (is_array($debug)||is_object($debug)) {
$txt.='<li><pre>'.print_r($debug,true).'</pre></li>'; $txt.='<li><pre>'.htmlentities(print_r($debug,true)).'</pre></li>';
} }
else { else {
$txt.='<li><pre>'.$debug.'</pre></li>'; $txt.='<li><pre>'.htmlentities(strval($debug)).'</pre></li>';
} }
} }
if ($ul) $txt.='</ul>'; if ($ul) $txt.='</ul>';

View file

@ -1,6 +1,12 @@
<div id='LSjsConfig'>{$LSjsConfig}</div> <div id='LSjsConfig'>{$LSjsConfig}</div>
<div id='LSinfos_txt'>{$LSinfos}</div> <div id='LSinfos_txt'>{if is_array($LSinfos) && !empty($LSinfos)}
<ul>
{foreach $LSinfos as $info}
<li>{$info|escape:"htmlall"}</li>
{/foreach}
</ul>
{/if}</div>
<div id='LSerror_txt'>{$LSerrors}</div> <div id='LSerror_txt'>{$LSerrors}</div>