Skip to content
Snippets Groups Projects
Unverified Commit 9effd2b6 authored by Peter Rotich's avatar Peter Rotich Committed by GitHub
Browse files

Merge pull request #4869 from JediKev/xss/xss-to-lfi-vulnerability

xss: XSS To LFI Vulnerability
parents 3299278d eab6747e
Branches
Tags
No related merge requests found
...@@ -39,7 +39,7 @@ class CsvImporter { ...@@ -39,7 +39,7 @@ class CsvImporter {
rewind($this->stream); rewind($this->stream);
} }
else { else {
throw new ImportError(__('Unable to parse submitted csv: ').print_r($stream, true)); throw new ImportError(__('Unable to parse submitted csv: ').print_r(Format::htmlchars($stream), true));
} }
} }
...@@ -59,7 +59,7 @@ class CsvImporter { ...@@ -59,7 +59,7 @@ class CsvImporter {
throw new ImportError(__('Whoops. Perhaps you meant to send some CSV records')); throw new ImportError(__('Whoops. Perhaps you meant to send some CSV records'));
$headers = array(); $headers = array();
foreach ($data as $h) { foreach (Format::htmlchars($data) as $h) {
$h = trim($h); $h = trim($h);
$found = false; $found = false;
foreach ($all_fields as $f) { foreach ($all_fields as $f) {
...@@ -68,7 +68,7 @@ class CsvImporter { ...@@ -68,7 +68,7 @@ class CsvImporter {
$found = true; $found = true;
if (!$f->get('name')) if (!$f->get('name'))
throw new ImportError(sprintf(__( throw new ImportError(sprintf(__(
'%s: Field must have `variable` set to be imported'), $h)); '%s: Field must have `variable` set to be imported'), Format::htmlchars($h)));
$headers[$f->get('name')] = $f->get('label'); $headers[$f->get('name')] = $f->get('label');
break; break;
} }
...@@ -85,7 +85,7 @@ class CsvImporter { ...@@ -85,7 +85,7 @@ class CsvImporter {
} }
else { else {
throw new ImportError(sprintf( throw new ImportError(sprintf(
__('%s: Unable to map header to the object field'), $h)); __('%s: Unable to map header to the object field'), Format::htmlchars($h)));
} }
} }
} }
......
...@@ -946,8 +946,8 @@ implements AuthenticatedUser, EmailContact, TemplateVariable { ...@@ -946,8 +946,8 @@ implements AuthenticatedUser, EmailContact, TemplateVariable {
} }
else { else {
throw new ImportError(sprintf(__('Unable to import (%s): %s'), throw new ImportError(sprintf(__('Unable to import (%s): %s'),
$data['username'], Format::htmlchars($data['username']),
print_r($errors, true) print_r(Format::htmlchars($errors), true)
)); ));
} }
$imported++; $imported++;
......
...@@ -456,7 +456,7 @@ implements TemplateVariable { ...@@ -456,7 +456,7 @@ implements TemplateVariable {
throw new ImportError('Both `name` and `email` fields are required'); throw new ImportError('Both `name` and `email` fields are required');
if (!($user = static::fromVars($data, true, true))) if (!($user = static::fromVars($data, true, true)))
throw new ImportError(sprintf(__('Unable to import user: %s'), throw new ImportError(sprintf(__('Unable to import user: %s'),
print_r($data, true))); print_r(Format::htmlchars($data), true)));
$imported++; $imported++;
} }
db_autocommit(true); db_autocommit(true);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment