From eb2e2e6922b89eaedab230e89474614a085b4528 Mon Sep 17 00:00:00 2001 From: alee2 Date: Fri, 23 Jul 2021 16:36:33 -0700 Subject: [PATCH] Added htmlspecialchars around all POSTED values that are printed onscreen in index.php --- index.php | 65 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/index.php b/index.php index cd0ea8e..4cd2fbc 100644 --- a/index.php +++ b/index.php @@ -9,7 +9,7 @@ $data_entry_trigger_builder = new BCCHR\DataEntryTriggerBuilder\DataEntryTriggerBuilder(); if (!empty($_POST["json"])) { - $posted_json = htmlspecialchars($_POST["json"], ENT_NOQUOTES); + $posted_json = $_POST["json"]; $settings = json_decode($posted_json, true); if ($settings == null) { @@ -159,11 +159,11 @@
- " required> + " required>
- " required> + " required>
@@ -171,10 +171,10 @@
> - " required> + " required>
@@ -247,6 +247,10 @@ $trigger): ?> +
@@ -281,23 +285,27 @@ $pipingDestEvents = $settings["pipingDestEvents"][$index]; $pipingSourceFields = $settings["pipingSourceFields"][$index]; $pipingDestFields = $settings["pipingDestFields"][$index]; + foreach($pipingSourceFields as $i => $source) { + $pipingSourceEvent = htmlspecialchars($pipingSourceEvents[$i], ENT_QUOTES); + $source = htmlspecialchars($source, ENT_QUOTES); + print ""; - if (!empty($pipingSourceEvents[$i])) + if (!empty($pipingSourceEvent)) { - print "[" . $pipingSourceEvents[$i] . "]"; - print ""; + print "[" . $pipingSourceEvent . "]"; + print ""; } print "[" . $source . "]"; print ""; if (!empty($pipingDestEvents[$i])) { - print "[" . $pipingDestEvents[$i] . "]"; - print ""; + print "[" . $pipingSourceEvent . "]"; + print ""; } - print "[" . $pipingDestFields[$i] . "]"; - print ""; + print "[" . $pipingSourceEvent . "]"; + print ""; print ""; print ""; print ""; @@ -306,18 +314,23 @@ $setDestEvents = $settings["setDestEvents"][$index]; $setDestFields = $settings["setDestFields"][$index]; $setDestFieldsValues = $settings["setDestFieldsValues"][$index]; + foreach($setDestFields as $i => $source) { + $setDestFieldsValue = htmlspecialchars($setDestFieldsValues[$i], ENT_QUOTES); + $setDestEvent = htmlspecialchars($setDestEvents[$i], ENT_QUOTES); + $source = htmlspecialchars($source, ENT_QUOTES); + print ""; - if (!empty($setDestFieldsValues[$i])) + if (!empty($setDestFieldsValue)) { - print "'" . $setDestFieldsValues[$i] . "'"; - print ""; + print "'" . $setDestFieldsValue . "'"; + print ""; } - if (!empty($setDestEvents[$i])) + if (!empty($setDestEvent)) { - print "[" . $setDestEvents[$i] . "]"; - print ""; + print "[" . $setDestEvent . "]"; + print ""; } print "[" . $source . "]"; print ""; @@ -328,19 +341,23 @@ $sourceInstr = $settings["sourceInstr"][$index]; $sourceInstrEvents = $settings["sourceInstrEvents"][$index]; + foreach($sourceInstr as $i => $source) { + $sourceInstrEvent = htmlspecialchars($sourceInstrEvents[$i], ENT_QUOTES); + $source = htmlspecialchars($source, ENT_QUOTES); + print ""; - if (!empty($sourceInstrEvents[$i])) + if (!empty($sourceInstrEvent)) { - print "[" . $sourceInstrEvents[$i] . "]"; - print ""; + print "[" . $sourceInstrEvent . "]"; + print ""; } print "[" . $source . "]"; print ""; - if (!empty($sourceInstrEvents[$i])) + if (!empty($sourceInstrEvent)) { - print "[" . $sourceInstrEvents[$i] . "]"; + print "[" . $sourceInstrEvent . "]"; } print "[" . $source . "]"; print ""; @@ -521,7 +538,7 @@
- +