mirror of https://github.com/MISP/MISP
fix: [security] Fixed presistent xss in the sighting popover tool
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)pull/5687/head
parent
de80d340cf
commit
e24a9eb44c
|
@ -9,8 +9,8 @@
|
|||
<?php
|
||||
if ($isAclSighting):
|
||||
?>
|
||||
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($object['value']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-up useCursorPointer" title="<?php echo __('Add sighting');?>" role="button" tabindex="0" aria-label="<?php echo __('Add sighting');?>" onmouseover="flexibleAddSighting(this, '0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'top');" onclick="addSighting('0', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-thumbs-down useCursorPointer" title="<?php echo __('Mark as false-positive');?>" role="button" tabindex="0" aria-label="<?php echo __('Mark as false-positive');?>" onmouseover="flexibleAddSighting(this, '1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>', 'bottom');" onclick="addSighting('1', '<?php echo h($object['id']); ?>', '<?php echo h($object['event_id']);?>', '<?php echo h($page); ?>');"> </i>
|
||||
<i class="icon-wrench useCursorPointer sightings_advanced_add" title="<?php echo __('Advanced sightings');?>" role="button" tabindex="0" aria-label="<?php echo __('Advanced sightings');?>" data-object-id="<?php echo h($object['id']); ?>" data-object-context="attribute"> </i>
|
||||
<?php
|
||||
endif;
|
||||
|
|
|
@ -56,7 +56,7 @@ function fetchAddSightingForm(type, attribute_id, page, onvalue) {
|
|||
});
|
||||
}
|
||||
|
||||
function flexibleAddSighting(clicked, type, attribute_id, event_id, value, page, placement) {
|
||||
function flexibleAddSighting(clicked, type, attribute_id, event_id, page, placement) {
|
||||
var $clicked = $(clicked);
|
||||
var hoverbroken = false;
|
||||
$clicked.off('mouseleave.temp').on('mouseleave.temp', function() {
|
||||
|
|
Loading…
Reference in New Issue