bitPickups/friendica_2020-09-1_sharedHosting
1
0
Fork 0
Code Pull requests Activity

Remove escaping exception for form field values

Browse source 
- This could allow code injection from a malicious query leading to a form page
- Thanks to Laura Pîrcălăboiu for the report
This commit is contained in:
Hypolite Petovan 2023-08-02 16:29:50 +02:00
commit 6f9e15ea57
7 changed files with 9 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

3
view/theme/frio/templates/field_colorinput.tpl
View file

@ -1,9 +1,8 @@
<div class="form-group field input color">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<div class="input-group" id="{{$field.0}}">
<span class="input-group-addon"><i></i></span>
<input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
<input class="form-control color" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
</div>
{{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>

3
view/theme/frio/templates/field_fileinput.tpl
View file

@ -1,8 +1,7 @@
<div class="form-group field input file">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<div class="input-group" id="{{$field.0}}">
<input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
<input class="form-control file" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}"{{if $field.4}} required{{/if}} aria-describedby="{{$field.0}}_tip">
<span class="input-group-addon image-select"><i class="fa fa-picture-o"></i></span>
</div>
{{if $field.3}}

3
view/theme/frio/templates/field_openid.tpl
View file

@ -1,7 +1,6 @@
<div id="id_{{$field.0}}_wrapper" class="form-group field input openid">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}</label>
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2 nofilter}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip">
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="text" value="{{$field.2}}" {{if $field.4}} readonly="readonly" {{/if}} aria-describedby="{{$field.0}}_tip">
{{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
{{/if}}

3
view/theme/frio/templates/field_password.tpl
View file

@ -1,7 +1,6 @@
<div id="id_{{$field.0}}_wrapper" class="form-group field input password">
<label for="id_{{$field.0}}" id="label_{{$field.0}}">{{$field.1}}{{if $field.4}} <span class="required" title="{{$field.4}}">*</span>{{/if}}</label>
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2 nofilter}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
<input class="form-control" name="{{$field.0}}" id="id_{{$field.0}}" type="password" value="{{$field.2}}" {{if $field.4}} required{{/if}}{{if $field.5 eq "autofocus"}} autofocus{{elseif $field.5}} {{$field.5}}{{/if}}{{if $field.6}} pattern="{{$field.6}}"{{/if}} aria-describedby="{{$field.0}}_tip">
{{if $field.3}}
<span class="help-block" id="{{$field.0}}_tip" role="tooltip">{{$field.3 nofilter}}</span>
{{/if}}