MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Sanitize::html() to h() for views is the way to go

pull/61/head
Christophe Vandeplas 2012-06-05 10:00:36 +02:00
parent 1a0586f14f
commit e453ee0e97
4 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/View/Attributes/index.ctp
View File

@ -21,12 +21,12 @@
<?php echo h($attribute['Attribute']['type']); ?>&nbsp;</td>
<td onclick="document.location ='<?php echo $this->Html->url(array('controller' => 'events', 'action' => 'view', $attribute['Attribute']['event_id']), true) ;?>';">
<?php
$sig_display = nl2br(Sanitize::html($attribute['Attribute']['value']));
$sig_display = nl2br(h($attribute['Attribute']['value']));
if('attachment' == $attribute['Attribute']['type'] ||
'malware-sample' == $attribute['Attribute']['type']) {
echo $this->Html->link($sig_display, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']));
} elseif('link' == $attribute['Attribute']['type']) {
?><A HREF="<?php echo $attribute['Attribute']['value']?>"><?php echo $attribute['Attribute']['value']?></A><?php
?><A HREF="<?php echo $attribute['Attribute']['value']?>"><?php echo $attribute['Attribute']['value']?></A><?php
} else {
echo $sig_display;
}

6
app/View/Emails/text/new_event.ctp
View File

@ -2,16 +2,16 @@
<?php //foreach ($events as $event): ?>
Event : <?php echo $event['Event']['id']; ?>
Date : <?php echo $event['Event']['date']; ?>
Reported by : <?php echo Sanitize::html($event['Event']['org']); ?>
Reported by : <?php echo h($event['Event']['org']); ?>
Risk : <?php echo $event['Event']['risk']; ?>
Attributes :
<?php if (!empty($event['Attribute'])):
$i = 0;
foreach ($event['Attribute'] as $attribute): ?>
- <?php echo $attribute['type']; echo str_repeat(' ', $appendlen - 2 - strlen( $attribute['type'])); ?>
: <?php echo Sanitize::html($attribute['value']);?>
: <?php echo h($attribute['value']);?>
<?php endforeach; ?><?php endif; ?>
Extra info :
<?php echo Sanitize::html($event['Event']['info']); ?>
<?php echo h($event['Event']['info']); ?>
<?php //endforeach; ?>

6
app/View/Events/index.ctp
View File

@ -7,7 +7,7 @@
<th><?php echo $this->Paginator->sort('org');?></th>
<?php endif; ?>
<th><?php echo $this->Paginator->sort('date');?></th>
<th<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>><?php echo $this->Paginator->sort('risk');?></th>
<th<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>><?php echo $this->Paginator->sort('risk');?></th>
<th><?php echo $this->Paginator->sort('info');?></th>
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<th<?php echo ' title="' . $event_descriptions['private']['desc'] . '"';?>><?php echo $this->Paginator->sort('private');?></th>
@ -23,14 +23,14 @@
&nbsp;</td>
<?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo Sanitize::html($event['Event']['org']); ?>&nbsp;</td>
<?php echo h($event['Event']['org']); ?>&nbsp;</td>
<?php endif; ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo $event['Event']['date']; ?>&nbsp;</td>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo $event['Event']['risk']; ?>&nbsp;</td>
<td onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo nl2br(Sanitize::html($event['Event']['info'])); ?>&nbsp;</td>
<?php echo nl2br(h($event['Event']['info'])); ?>&nbsp;</td>
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo ($event['Event']['private'])? 'Private' : ''; ?>&nbsp;</td>

16
app/View/Events/view.ctp
View File

@ -21,19 +21,19 @@
<dl>
<dt>ID</dt>
<dd>
<?php echo Sanitize::html($event['Event']['id']); ?>
<?php echo h($event['Event']['id']); ?>
&nbsp;
</dd>
<?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?>
<dt>Org</dt>
<dd>
<?php echo Sanitize::html($event['Event']['org']); ?>
<?php echo h($event['Event']['org']); ?>
&nbsp;
</dd>
<?php endif; ?>
<dt>Date</dt>
<dd>
<?php echo Sanitize::html($event['Event']['date']); ?>
<?php echo h($event['Event']['date']); ?>
&nbsp;
</dd>
<dt<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>>Risk</dt>
@ -55,7 +55,7 @@
</dd -->
<dt>Info</dt>
<dd>
<?php echo nl2br(Sanitize::html($event['Event']['info'])); ?>
<?php echo nl2br(h($event['Event']['info'])); ?>
&nbsp;
</dd>
</dl>
@ -86,7 +86,7 @@
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<th <?php echo "title='" . $attr_descriptions['private']['desc'] . "'";?>>Private</th>
<?php endif;?>
<?php if ($isAdmin || $event['Event']['org'] == $me['org']): ?>
<?php if ($isAdmin || $event['Event']['org'] == $me['org']): ?>
<th class="actions">Actions</th>
<?php endif;?>
</tr>
@ -107,14 +107,14 @@
?></td>
<td class="short" title="<?php echo $type_definitions[$attribute['type']]['desc'];?>"><?php echo $attribute['type'];?></td>
<td><?php
$sig_display = nl2br(Sanitize::html($attribute['value']));
$sig_display = nl2br(h($attribute['value']));
if('attachment' == $attribute['type'] ||
'malware-sample' == $attribute['type'] ) {
$filename_hash = explode('|', Sanitize::html($attribute['value']));
$filename_hash = explode('|', h($attribute['value']));
echo $this->Html->link($filename_hash[0], array('controller' => 'attributes', 'action' => 'download', $attribute['id']));
if (isset($filename_hash[1])) echo ' | '.$filename_hash[1];
} elseif (strpos($attribute['type'], '|') !== false) {
$filename_hash = explode('|', Sanitize::html($attribute['value']));
$filename_hash = explode('|', h($attribute['value']));
echo $filename_hash[0];
if (isset($filename_hash[1])) echo ' | '.$filename_hash[1];
} elseif ('vulnerability' == $attribute['type']) {