mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2025-06-21 09:35:49 +02:00
Fixed potential XSS injection vectors in datatables columns
This commit is contained in:
Jan Böhmer
parent
5f39d8e594
commit
83cd91f1d1
6 changed files with 10 additions and 10 deletions
|
|
@ -79,7 +79,7 @@ class EntityColumn extends AbstractColumn
|
||||||
return sprintf(
|
return sprintf(
|
||||||
'<a href="%s">%s</a>',
|
'<a href="%s">%s</a>',
|
||||||
$this->urlGenerator->listPartsURL($entity),
|
$this->urlGenerator->listPartsURL($entity),
|
||||||
$entity->getName()
|
htmlspecialchars($entity->getName())
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -50,6 +50,6 @@ class SIUnitNumberColumn extends AbstractColumn
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->formatter->format((float) $value, $this->options['unit'], $this->options['precision']);
|
return htmlspecialchars($this->formatter->format((float) $value, $this->options['unit'], $this->options['precision']));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -177,7 +177,7 @@ final class PartsDataTable implements DataTableTypeInterface
|
||||||
$tmp[] = sprintf(
|
$tmp[] = sprintf(
|
||||||
'<a href="%s">%s</a>',
|
'<a href="%s">%s</a>',
|
||||||
$this->urlGenerator->listPartsURL($lot->getStorageLocation()),
|
$this->urlGenerator->listPartsURL($lot->getStorageLocation()),
|
||||||
$lot->getStorageLocation()->getName()
|
htmlspecialchars($lot->getStorageLocation()->getName())
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -192,13 +192,13 @@ final class PartsDataTable implements DataTableTypeInterface
|
||||||
$amount = $context->getAmountSum();
|
$amount = $context->getAmountSum();
|
||||||
$expiredAmount = $context->getExpiredAmountSum();
|
$expiredAmount = $context->getExpiredAmountSum();
|
||||||
|
|
||||||
$ret = $this->amountFormatter->format($amount, $context->getPartUnit());
|
$ret = htmlspecialchars($this->amountFormatter->format($amount, $context->getPartUnit()));
|
||||||
|
|
||||||
//If we have expired lots, we show them in parentheses behind
|
//If we have expired lots, we show them in parentheses behind
|
||||||
if ($expiredAmount > 0) {
|
if ($expiredAmount > 0) {
|
||||||
$ret .= sprintf(' <span title="%s" class="text-muted">(+%s)</span>',
|
$ret .= sprintf(' <span title="%s" class="text-muted">(+%s)</span>',
|
||||||
$this->translator->trans('part_lots.is_expired'),
|
$this->translator->trans('part_lots.is_expired'),
|
||||||
$this->amountFormatter->format($expiredAmount, $context->getPartUnit()));
|
htmlspecialchars($this->amountFormatter->format($expiredAmount, $context->getPartUnit())));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -210,7 +210,7 @@ final class PartsDataTable implements DataTableTypeInterface
|
||||||
'label' => $this->translator->trans('part.table.minamount'),
|
'label' => $this->translator->trans('part.table.minamount'),
|
||||||
'visible' => false,
|
'visible' => false,
|
||||||
'render' => function ($value, Part $context) {
|
'render' => function ($value, Part $context) {
|
||||||
return $this->amountFormatter->format($value, $context->getPartUnit());
|
return htmlspecialchars($this->amountFormatter->format($value, $context->getPartUnit()));
|
||||||
},
|
},
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
|
||||||
return round($context->getQuantity());
|
return round($context->getQuantity());
|
||||||
}
|
}
|
||||||
//Otherwise use the unit of the part to format the quantity
|
//Otherwise use the unit of the part to format the quantity
|
||||||
return $this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit());
|
return htmlspecialchars($this->amountFormatter->format($context->getQuantity(), $context->getPart()->getPartUnit()));
|
||||||
},
|
},
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
@ -93,7 +93,7 @@ class ProjectBomEntriesDataTable implements DataTableTypeInterface
|
||||||
'orderable' => false,
|
'orderable' => false,
|
||||||
'render' => function ($value, ProjectBOMEntry $context) {
|
'render' => function ($value, ProjectBOMEntry $context) {
|
||||||
if($context->getPart() === null) {
|
if($context->getPart() === null) {
|
||||||
return $context->getName();
|
return htmlspecialchars($context->getName());
|
||||||
}
|
}
|
||||||
if($context->getPart() !== null) {
|
if($context->getPart() !== null) {
|
||||||
$tmp = $this->partDataTableHelper->renderName($context->getPart());
|
$tmp = $this->partDataTableHelper->renderName($context->getPart());
|
||||||
|
|
|
||||||
|
|
@ -117,7 +117,7 @@ class ElementTypeNameGenerator
|
||||||
* It uses getLocalizedLabel to determine the type.
|
* It uses getLocalizedLabel to determine the type.
|
||||||
*
|
*
|
||||||
* @param NamedElementInterface $entity the entity for which the string should be generated
|
* @param NamedElementInterface $entity the entity for which the string should be generated
|
||||||
* @param bool $use_html If set to true, a html string is returned, where the type is set italic
|
* @param bool $use_html If set to true, a html string is returned, where the type is set italic, and the name is escaped
|
||||||
*
|
*
|
||||||
* @return string The localized string
|
* @return string The localized string
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -193,7 +193,7 @@ class LogEntryExtraFormatter
|
||||||
}
|
}
|
||||||
if ($context->getInstockChangeType() === PartStockChangedLogEntry::TYPE_MOVE) {
|
if ($context->getInstockChangeType() === PartStockChangedLogEntry::TYPE_MOVE) {
|
||||||
$array['log.part_stock_changed.move_target'] =
|
$array['log.part_stock_changed.move_target'] =
|
||||||
$this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class)
|
htmlspecialchars($this->elementTypeNameGenerator->getLocalizedTypeLabel(PartLot::class))
|
||||||
.' ' . $context->getMoveToTargetID();
|
.' ' . $context->getMoveToTargetID();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue