cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [security] genericForm reflected XSS in form descriptions for user controlled descriptions 

- accessible via the MISP local tool setting change
- sanitise the description

- as reported by Dawid Czarnecki from Zigrin Security
pull/92/head
iglocska 2022-02-03 23:54:47 +01:00
parent 5fbd53883f
commit e60d97c214
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
templates/element/genericElements/Form/genericForm.php
View File

@ -106,7 +106,7 @@
'%s%s%s%s%s%s', '%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf( empty($data['description']) ? '' : sprintf(
'<div class="pb-2 fw-light">%s</div>', '<div class="pb-2 fw-light">%s</div>',
$data['description'] h($data['description'])
), ),
$ajaxFlashMessage, $ajaxFlashMessage,
$formCreate, $formCreate,
@ -131,7 +131,7 @@
'%s%s%s%s%s%s', '%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf( empty($data['description']) ? '' : sprintf(
'<div class="pb-2">%s</div>', '<div class="pb-2">%s</div>',
$data['description'] h($data['description'])
), ),
$ajaxFlashMessage, $ajaxFlashMessage,
$formCreate, $formCreate,
@ -157,7 +157,7 @@
$ajaxFlashMessage, $ajaxFlashMessage,
empty($data['description']) ? '' : sprintf( empty($data['description']) ? '' : sprintf(
'<div class="pb-3 fw-light">%s</div>', '<div class="pb-3 fw-light">%s</div>',
$data['description'] h($data['description'])
), ),
sprintf('<div class="panel">%s</div>', $fieldsString), sprintf('<div class="panel">%s</div>', $fieldsString),
empty($metaTemplateString) ? '' : $this->element( empty($metaTemplateString) ? '' : $this->element(