Merge pull request #930 from TheSerapher/issue-926
[SECURITY] Fixing potential XSS issues
This commit is contained in:
Sebastian Grewe
commit
216b986be2
@ -1,14 +1,13 @@
|
||||
<?php
|
||||
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// Process password reset request
|
||||
if ($user->initResetPassword($_POST['username'], $smarty)) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset');
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
|
||||
}
|
||||
|
||||
// Tempalte specifics, user default template by parent page
|
||||
|
||||
@ -2,5 +2,5 @@
|
||||
<input type="hidden" name="page" value="password">
|
||||
<input type="hidden" name="action" value="reset">
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
<p><input type="text" value="{$smarty.post.username|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
|
||||
<p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
|
||||
</form>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<form action="{$smarty.server.PHP_SELF}" method="POST">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="sendInvitation">
|
||||
<article class="module width_quarter">
|
||||
<header><h3>Invitation</h3></header>
|
||||
|
||||
@ -22,22 +22,22 @@
|
||||
<header><h3>Transaction Filter</h3></header>
|
||||
<div class="module_content">
|
||||
<form action="{$smarty.server.PHP_SELF}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}" />
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}" />
|
||||
<table cellspacing="0" class="tablesorter">
|
||||
<tbody>
|
||||
<tr>
|
||||
{if $COUNTTRANSACTIONS / $LIMIT > 1}
|
||||
<td align="left">
|
||||
{if $smarty.request.start|default:"0" > 0}
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|escape|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
|
||||
{else}
|
||||
<i class="icon-left-open"></i>
|
||||
{/if}
|
||||
</td>
|
||||
<td align="right">
|
||||
{if $COUNTTRANSACTIONS - $smarty.request.start|default:"0" - $LIMIT > 0}
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|escape|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
|
||||
{else}
|
||||
<i class="icon-right-open"></i>
|
||||
{/if}
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
<article class="module width_quarter">
|
||||
<header><h3 class="">Add New Worker</h3></header>
|
||||
<form action="{$smarty.server.PHP_SELF}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="add">
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
@ -26,8 +26,8 @@
|
||||
<article class="module width_3_quarter">
|
||||
<header><h3 class="">Worker Configuration</h3></header>
|
||||
<form action="{$smarty.server.PHP_SELF}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="update">
|
||||
<table class="tablesorter" cellspacing="0">
|
||||
<thead>
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
<article class="module width_full">
|
||||
<header><h3>News Posts</h3></header>
|
||||
<form method="POST" action="{$smarty.server.PHP_SELF}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="add">
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
@ -30,8 +30,8 @@
|
||||
<div class="module_content">{$NEWS[news].content}</div>
|
||||
<footer>
|
||||
<div class="submit_link">
|
||||
<a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action=news_edit&id={$NEWS[news].id}'><i class="icon-wrench"></i></a>
|
||||
<a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&do=delete&id={$NEWS[news].id}'><i class="icon-trash"></i></a>
|
||||
<a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action=news_edit&id={$NEWS[news].id}'><i class="icon-wrench"></i></a>
|
||||
<a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=delete&id={$NEWS[news].id}'><i class="icon-trash"></i></a>
|
||||
</div>
|
||||
</footer>
|
||||
</article>
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
<article class="module width_full">
|
||||
<header><h3>Edit news entry #{$NEWS.id}</h3></header>
|
||||
<form method="POST" action="{$smarty.server.PHP_SELF}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="id" value="{$NEWS.id}">
|
||||
<input type="hidden" name="do" value="save">
|
||||
<table class="tablesorter" cellspacing="0">
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
<form action="{$smarty.server.PHP_SELF}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape|escape}">
|
||||
<article class="module width_full">
|
||||
<header><h3>Earnings Information</h3></header>
|
||||
<table class="tablesorter">
|
||||
<tbody>
|
||||
<td align="left">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($REPORTDATA) && count($REPORTDATA) > ($BLOCKLIMIT - 1)}{$REPORTDATA[$BLOCKLIMIT - 1].height}{/if}&prev=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"<i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($REPORTDATA) && count($REPORTDATA) > ($BLOCKLIMIT - 1)}{$REPORTDATA[$BLOCKLIMIT - 1].height}{/if}&prev=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"<i class="icon-left-open"></i></a>
|
||||
</td>
|
||||
<td align="right">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($REPORTDATA) && count($REPORTDATA) > 0}{$REPORTDATA[0].height}{/if}&next=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($REPORTDATA) && count($REPORTDATA) > 0}{$REPORTDATA[0].height}{/if}&next=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"><i class="icon-right-open"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
@ -17,7 +17,7 @@
|
||||
<table class="tablesorter">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<td>
|
||||
<fieldset style="width:200px; padding-right:8px;">
|
||||
<label>Select User</label>
|
||||
{html_options name="id" options=$USERLIST selected=$USERID|default:"0"}
|
||||
@ -33,7 +33,7 @@
|
||||
<fieldset style="width:200px; padding-right:8px;">
|
||||
<label>Starting block height</label>
|
||||
<input type="text" class="pin" name="search" value="{$HEIGHT|default:"%"}">
|
||||
</fieldset>
|
||||
</fieldset>
|
||||
</td>
|
||||
<td><b>SHOW EMPTY ROUNDS</b><br><br>
|
||||
<span style="margin: 0px 28px;" class="toggle">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<article class="module width_full">
|
||||
<form method="POST">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}" />
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}" />
|
||||
<input type="hidden" name="do" value="save" />
|
||||
<header>
|
||||
<h3 class="tabs_involved">Settings</h3>
|
||||
|
||||
@ -22,22 +22,22 @@
|
||||
<header><h3>Transaction Filter</h3></header>
|
||||
<div class="module_content">
|
||||
<form action="{$smarty.server.PHP_SELF}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action}" />
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}" />
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}" />
|
||||
<table cellspacing="0" class="tablesorter">
|
||||
<tbody>
|
||||
<tr>
|
||||
{if $COUNTTRANSACTIONS / $LIMIT > 1}
|
||||
<td align="left">
|
||||
{if $smarty.request.start|default:"0" > 0}
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
|
||||
{else}
|
||||
<i class="icon-left-open"></i>
|
||||
{/if}
|
||||
</td>
|
||||
<td align="right">
|
||||
{if $COUNTTRANSACTIONS - $smarty.request.start|default:"0" - $LIMIT > 0}
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
|
||||
{else}
|
||||
<i class="icon-right-open"></i>
|
||||
{/if}
|
||||
|
||||
@ -3,21 +3,21 @@
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: "{$smarty.server.PHP_SELF}",
|
||||
data: "page={$smarty.request.page}&action={$smarty.request.action}&do=fee&account_id=" + id,
|
||||
data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=fee&account_id=" + id,
|
||||
});
|
||||
}
|
||||
function storeLock(id) {
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: "{$smarty.server.PHP_SELF}",
|
||||
data: "page={$smarty.request.page}&action={$smarty.request.action}&do=lock&account_id=" + id,
|
||||
data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=lock&account_id=" + id,
|
||||
});
|
||||
}
|
||||
function storeAdmin(id) {
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: "{$smarty.server.PHP_SELF}",
|
||||
data: "page={$smarty.request.page}&action={$smarty.request.action}&do=admin&account_id=" + id,
|
||||
data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=admin&account_id=" + id,
|
||||
});
|
||||
}
|
||||
</script>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
<fieldset>
|
||||
<label>Username or E-Mail</label>
|
||||
<input type="text" name="username" value="{$smarty.post.username|default:""}" size="22" maxlength="20" required>
|
||||
<input type="text" name="username" value="{$smarty.post.username|escape|default:""}" size="22" maxlength="20" required>
|
||||
</fieldset>
|
||||
<div class="clear"></div>
|
||||
</div>
|
||||
|
||||
@ -40,10 +40,10 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td align="left">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > ($BLOCKLIMIT - 1)}{$BLOCKSFOUND[$BLOCKLIMIT - 1].height}{/if}&prev=1"><i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > ($BLOCKLIMIT - 1)}{$BLOCKSFOUND[$BLOCKLIMIT - 1].height}{/if}&prev=1"><i class="icon-left-open"></i></a>
|
||||
</td>
|
||||
<td align="right">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > 0}{$BLOCKSFOUND[0].height}{/if}&next=1"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > 0}{$BLOCKSFOUND[0].height}{/if}&next=1"><i class="icon-right-open"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
@ -8,8 +8,8 @@
|
||||
</ul>
|
||||
</header>
|
||||
<div class="tab_container">
|
||||
{include file="{$smarty.request.page}/{$smarty.request.action}/mine.tpl"}
|
||||
{include file="{$smarty.request.page}/{$smarty.request.action}/pool.tpl"}
|
||||
{include file="{$smarty.request.page}/{$smarty.request.action}/both.tpl"}
|
||||
{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/mine.tpl"}
|
||||
{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/pool.tpl"}
|
||||
{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/both.tpl"}
|
||||
</div>
|
||||
</article>
|
||||
|
||||
@ -4,10 +4,10 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td align="left">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
|
||||
</td>
|
||||
<td align="right" colspan="4">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
@ -4,10 +4,10 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td align="left">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
|
||||
</td>
|
||||
<td align="right" colspan="4">
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
|
||||
<a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user