MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Sanitize::html() to h() for views is the way to go

pull/61/head
Christophe Vandeplas 2012-06-05 10:00:36 +02:00
parent 1a0586f14f
commit e453ee0e97
4 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/View/Attributes/index.ctp
View File

@ -21,12 +21,12 @@
<?php echo h($attribute['Attribute']['type']); ?>&nbsp;</td> <?php echo h($attribute['Attribute']['type']); ?>&nbsp;</td>
<td onclick="document.location ='<?php echo $this->Html->url(array('controller' => 'events', 'action' => 'view', $attribute['Attribute']['event_id']), true) ;?>';"> <td onclick="document.location ='<?php echo $this->Html->url(array('controller' => 'events', 'action' => 'view', $attribute['Attribute']['event_id']), true) ;?>';">
<?php <?php
$sig_display = nl2br(Sanitize::html($attribute['Attribute']['value'])); $sig_display = nl2br(h($attribute['Attribute']['value']));
if('attachment' == $attribute['Attribute']['type'] || if('attachment' == $attribute['Attribute']['type'] ||
'malware-sample' == $attribute['Attribute']['type']) { 'malware-sample' == $attribute['Attribute']['type']) {
echo $this->Html->link($sig_display, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id'])); echo $this->Html->link($sig_display, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']));
} elseif('link' == $attribute['Attribute']['type']) { } elseif('link' == $attribute['Attribute']['type']) {
?><A HREF="<?php echo $attribute['Attribute']['value']?>"><?php echo $attribute['Attribute']['value']?></A><?php ?><A HREF="<?php echo $attribute['Attribute']['value']?>"><?php echo $attribute['Attribute']['value']?></A><?php
} else { } else {
echo $sig_display; echo $sig_display;
} }

6
app/View/Emails/text/new_event.ctp
View File

@ -2,16 +2,16 @@
<?php //foreach ($events as $event): ?> <?php //foreach ($events as $event): ?>
Event : <?php echo $event['Event']['id']; ?> Event : <?php echo $event['Event']['id']; ?>
Date : <?php echo $event['Event']['date']; ?> Date : <?php echo $event['Event']['date']; ?>
Reported by : <?php echo Sanitize::html($event['Event']['org']); ?> Reported by : <?php echo h($event['Event']['org']); ?>
Risk : <?php echo $event['Event']['risk']; ?> Risk : <?php echo $event['Event']['risk']; ?>
Attributes : Attributes :
<?php if (!empty($event['Attribute'])): <?php if (!empty($event['Attribute'])):
$i = 0; $i = 0;
foreach ($event['Attribute'] as $attribute): ?> foreach ($event['Attribute'] as $attribute): ?>
- <?php echo $attribute['type']; echo str_repeat(' ', $appendlen - 2 - strlen( $attribute['type'])); ?> - <?php echo $attribute['type']; echo str_repeat(' ', $appendlen - 2 - strlen( $attribute['type'])); ?>
: <?php echo Sanitize::html($attribute['value']);?> : <?php echo h($attribute['value']);?>
<?php endforeach; ?><?php endif; ?> <?php endforeach; ?><?php endif; ?>
Extra info : Extra info :
<?php echo Sanitize::html($event['Event']['info']); ?> <?php echo h($event['Event']['info']); ?>
<?php //endforeach; ?> <?php //endforeach; ?>

6
app/View/Events/index.ctp
View File

@ -7,7 +7,7 @@
<th><?php echo $this->Paginator->sort('org');?></th> <th><?php echo $this->Paginator->sort('org');?></th>
<?php endif; ?> <?php endif; ?>
<th><?php echo $this->Paginator->sort('date');?></th> <th><?php echo $this->Paginator->sort('date');?></th>
<th<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>><?php echo $this->Paginator->sort('risk');?></th> <th<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>><?php echo $this->Paginator->sort('risk');?></th>
<th><?php echo $this->Paginator->sort('info');?></th> <th><?php echo $this->Paginator->sort('info');?></th>
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?> <?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<th<?php echo ' title="' . $event_descriptions['private']['desc'] . '"';?>><?php echo $this->Paginator->sort('private');?></th> <th<?php echo ' title="' . $event_descriptions['private']['desc'] . '"';?>><?php echo $this->Paginator->sort('private');?></th>
@ -23,14 +23,14 @@
&nbsp;</td> &nbsp;</td>
<?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?> <?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';"> <td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo Sanitize::html($event['Event']['org']); ?>&nbsp;</td> <?php echo h($event['Event']['org']); ?>&nbsp;</td>
<?php endif; ?> <?php endif; ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';"> <td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo $event['Event']['date']; ?>&nbsp;</td> <?php echo $event['Event']['date']; ?>&nbsp;</td>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';"> <td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo $event['Event']['risk']; ?>&nbsp;</td> <?php echo $event['Event']['risk']; ?>&nbsp;</td>
<td onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';"> <td onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo nl2br(Sanitize::html($event['Event']['info'])); ?>&nbsp;</td> <?php echo nl2br(h($event['Event']['info'])); ?>&nbsp;</td>
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?> <?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';"> <td class="short" onclick="document.location ='<?php echo $this->Html->url(array('action' => 'view', $event['Event']['id']), true) ;?>';">
<?php echo ($event['Event']['private'])? 'Private' : ''; ?>&nbsp;</td> <?php echo ($event['Event']['private'])? 'Private' : ''; ?>&nbsp;</td>

16
app/View/Events/view.ctp
View File

@ -21,19 +21,19 @@
<dl> <dl>
<dt>ID</dt> <dt>ID</dt>
<dd> <dd>
<?php echo Sanitize::html($event['Event']['id']); ?> <?php echo h($event['Event']['id']); ?>
&nbsp; &nbsp;
</dd> </dd>
<?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?> <?php if ('true' == Configure::read('CyDefSIG.showorg') || $isAdmin): ?>
<dt>Org</dt> <dt>Org</dt>
<dd> <dd>
<?php echo Sanitize::html($event['Event']['org']); ?> <?php echo h($event['Event']['org']); ?>
&nbsp; &nbsp;
</dd> </dd>
<?php endif; ?> <?php endif; ?>
<dt>Date</dt> <dt>Date</dt>
<dd> <dd>
<?php echo Sanitize::html($event['Event']['date']); ?> <?php echo h($event['Event']['date']); ?>
&nbsp; &nbsp;
</dd> </dd>
<dt<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>>Risk</dt> <dt<?php echo ' title="' . $event_descriptions['risk']['desc'] . '"';?>>Risk</dt>
@ -55,7 +55,7 @@
</dd --> </dd -->
<dt>Info</dt> <dt>Info</dt>
<dd> <dd>
<?php echo nl2br(Sanitize::html($event['Event']['info'])); ?> <?php echo nl2br(h($event['Event']['info'])); ?>
&nbsp; &nbsp;
</dd> </dd>
</dl> </dl>
@ -86,7 +86,7 @@
<?php if ('true' == Configure::read('CyDefSIG.sync')): ?> <?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
<th <?php echo "title='" . $attr_descriptions['private']['desc'] . "'";?>>Private</th> <th <?php echo "title='" . $attr_descriptions['private']['desc'] . "'";?>>Private</th>
<?php endif;?> <?php endif;?>
<?php if ($isAdmin || $event['Event']['org'] == $me['org']): ?> <?php if ($isAdmin || $event['Event']['org'] == $me['org']): ?>
<th class="actions">Actions</th> <th class="actions">Actions</th>
<?php endif;?> <?php endif;?>
</tr> </tr>
@ -107,14 +107,14 @@
?></td> ?></td>
<td class="short" title="<?php echo $type_definitions[$attribute['type']]['desc'];?>"><?php echo $attribute['type'];?></td> <td class="short" title="<?php echo $type_definitions[$attribute['type']]['desc'];?>"><?php echo $attribute['type'];?></td>
<td><?php <td><?php
$sig_display = nl2br(Sanitize::html($attribute['value'])); $sig_display = nl2br(h($attribute['value']));
if('attachment' == $attribute['type'] || if('attachment' == $attribute['type'] ||
'malware-sample' == $attribute['type'] ) { 'malware-sample' == $attribute['type'] ) {
$filename_hash = explode('|', Sanitize::html($attribute['value'])); $filename_hash = explode('|', h($attribute['value']));
echo $this->Html->link($filename_hash[0], array('controller' => 'attributes', 'action' => 'download', $attribute['id'])); echo $this->Html->link($filename_hash[0], array('controller' => 'attributes', 'action' => 'download', $attribute['id']));
if (isset($filename_hash[1])) echo ' | '.$filename_hash[1]; if (isset($filename_hash[1])) echo ' | '.$filename_hash[1];
} elseif (strpos($attribute['type'], '|') !== false) { } elseif (strpos($attribute['type'], '|') !== false) {
$filename_hash = explode('|', Sanitize::html($attribute['value'])); $filename_hash = explode('|', h($attribute['value']));
echo $filename_hash[0]; echo $filename_hash[0];
if (isset($filename_hash[1])) echo ' | '.$filename_hash[1]; if (isset($filename_hash[1])) echo ' | '.$filename_hash[1];
} elseif ('vulnerability' == $attribute['type']) { } elseif ('vulnerability' == $attribute['type']) {