noalyss-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 06/16: mantis #1690: Bug : impossible d'utili


From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 06/16: mantis #1690: Bug : impossible d'utiliser < dans Inplace_Edit Use base64_decode to protect the string in serialize
Date: Sun, 3 Feb 2019 14:38:41 -0500 (EST)

sparkyx pushed a commit to branch master
in repository noalyss.

commit 1fb36ba6914353300d6293b0cec5184eec82d025
Author: Dany De Bontridder <address@hidden>
Date:   Sun Jan 27 21:04:52 2019 +0100

    mantis #1690: Bug : impossible d'utiliser < dans Inplace_Edit
    Use base64_decode to protect the string in serialize
---
 include/ajax/ajax_anc_plan.php     |  1 +
 include/lib/inplace_edit.class.php | 15 +++++++--------
 scenario/inplace_edit.test.php     |  1 +
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/include/ajax/ajax_anc_plan.php b/include/ajax/ajax_anc_plan.php
index 88115cb..d839be0 100644
--- a/include/ajax/ajax_anc_plan.php
+++ b/include/ajax/ajax_anc_plan.php
@@ -33,6 +33,7 @@ if ( $g_user->check_module("PLANANC ") ) die("forbidden");
 $input = $http->request("input");
 $action = $http->request("ieaction", "string", "display");
 $pa_id=$http->post("id","number");
+
 $answer = Inplace_Edit::build($input);
 $answer->add_json_param("gDossier", Dossier::id());
 $answer->set_callback("ajax_misc.php");
diff --git a/include/lib/inplace_edit.class.php 
b/include/lib/inplace_edit.class.php
index 5d869ca..3913757 100644
--- a/include/lib/inplace_edit.class.php
+++ b/include/lib/inplace_edit.class.php
@@ -53,16 +53,15 @@ class Inplace_Edit
      */
     function __construct(HtmlInput $p_input) {
         $this->input=$p_input;
-        $x["input"]=serialize($p_input);
-        $this->json=json_encode($x, 
JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
+        $x["input"]=base64_encode(serialize($p_input));
+        $this->json=json_encode($x, JSON_HEX_TAG | JSON_HEX_APOS | 
JSON_HEX_QUOT | JSON_HEX_AMP 
|JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
         $this->message=_("Cliquez pour éditer");
     }
     ///@brief build a Inplace_Edit object from
     /// a serialized string (ajax json parameter = input)
     static function build($p_serialize)
     {
-        
-        $input=  unserialize($p_serialize);
+        $input=  unserialize(base64_decode($p_serialize));
         $obj=new Inplace_Edit($input);
         return $obj;
     }
@@ -170,7 +169,7 @@ EOF;
     function add_json_param($p_attribute,$p_value) {
         $x=json_decode($this->json,TRUE);
         $x[$p_attribute]=$p_value;
-        $this->json=json_encode($x, 
JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
+        $this->json=json_encode($x, JSON_HEX_TAG | JSON_HEX_APOS | 
JSON_HEX_QUOT | JSON_HEX_AMP 
|JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
     }
     /**
      * \brief return the HtmlObject , var input
@@ -187,8 +186,8 @@ EOF;
     function set_input(HtmlInput $p_input) {
         $this->input = $p_input;
         $x=json_decode($this->json,TRUE);
-        $x["input"]=serialize($p_input);
-        $this->json=json_encode($x, 
JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
+        $x["input"]=base64_encode(serialize($p_input));
+        $this->json=json_encode($x, JSON_HEX_TAG | JSON_HEX_APOS | 
JSON_HEX_QUOT | JSON_HEX_AMP 
|JSON_UNESCAPED_UNICODE|JSON_UNESCAPED_SLASHES|JSON_NUMERIC_CHECK);
     }
     /**
      * Set the value of the HtmlInput object $input
@@ -196,7 +195,7 @@ EOF;
      */
     function set_value($p_value) {
         $input=$this->get_input();
-        $this->input->set_value(strip_tags($p_value));
+        $this->input->set_value($p_value);
         $this->set_input($input);
     }
     /**
diff --git a/scenario/inplace_edit.test.php b/scenario/inplace_edit.test.php
index c3d3a83..aa5261a 100644
--- a/scenario/inplace_edit.test.php
+++ b/scenario/inplace_edit.test.php
@@ -29,6 +29,7 @@ require_once NOALYSS_INCLUDE . '/lib/itext.class.php';
 require_once NOALYSS_INCLUDE . '/lib/inum.class.php';
 require_once NOALYSS_INCLUDE . '/lib/inplace_edit.class.php';
 if (!isset($_REQUEST["TestAjaxFile"])) {
+    html_page_start();
     echo h1(_("Test Inplace_Edit"));
     /***********************************************
      * If TestAjaxFile is not set it is not a ajax call



reply via email to

[Prev in Thread] Current Thread [Next in Thread]