From ecbdda9b88a611f1653079ae64e4d7012157ce55 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Fri, 29 Dec 2017 18:06:04 +0100 Subject: [PATCH] Added new input filters. --- .../admin/form/directive_snippets.tform.php | 6 + interface/web/admin/form/groups.tform.php | 10 ++ interface/web/admin/form/iptables.tform.php | 30 ++++ interface/web/admin/form/server.tform.php | 6 + .../web/admin/form/server_config.tform.php | 84 +++++++++++ interface/web/admin/form/server_php.tform.php | 36 +++++ .../web/admin/form/software_package.tform.php | 12 ++ .../web/admin/form/software_repo.tform.php | 18 +++ .../web/admin/form/system_config.tform.php | 100 ++++++++++++- .../web/admin/form/tpl_default.tform.php | 12 ++ interface/web/client/client_edit.php | 4 +- interface/web/client/domain_edit.php | 5 +- interface/web/client/form/client.tform.php | 132 +++++++++++++++++- .../web/client/form/client_circle.tform.php | 10 ++ .../web/client/form/client_template.tform.php | 6 + .../client/form/message_template.tform.php | 12 ++ interface/web/client/form/reseller.tform.php | 132 +++++++++++++++++- interface/web/client/reseller_edit.php | 3 +- interface/web/dns/dns_import.php | 4 +- interface/web/dns/dns_slave_edit.php | 3 + interface/web/dns/dns_soa_edit.php | 5 +- interface/web/dns/dns_wizard.php | 4 +- interface/web/dns/form/dns_soa.tform.php | 10 ++ .../web/help/form/faq_sections.tform.php | 6 + .../web/help/form/support_message.tform.php | 10 ++ .../web/mail/form/mail_aliasdomain.tform.php | 6 +- .../web/mail/form/mail_blacklist.tform.php | 6 + .../web/mail/form/mail_forward.tform.php | 6 +- interface/web/mail/form/mail_get.tform.php | 6 + .../web/mail/form/mail_mailinglist.tform.php | 6 + .../mail/form/mail_relay_recipient.tform.php | 12 ++ .../web/mail/form/mail_spamfilter.tform.php | 6 + .../web/mail/form/mail_transport.tform.php | 12 +- interface/web/mail/form/mail_user.tform.php | 28 ++++ .../web/mail/form/mail_user_filter.tform.php | 10 ++ .../web/mail/form/mail_whitelist.tform.php | 12 ++ .../mail/form/spamfilter_blacklist.tform.php | 17 +++ .../web/mail/form/spamfilter_policy.tform.php | 114 +++++++++++++++ .../web/mail/form/spamfilter_users.tform.php | 12 +- .../mail/form/spamfilter_whitelist.tform.php | 12 +- interface/web/mail/form/xmpp_domain.tform.php | 10 ++ interface/web/mail/mail_domain_edit.php | 3 + interface/web/mail/mail_mailinglist_edit.php | 3 + interface/web/mail/xmpp_domain_edit.php | 3 + .../form/mail_user_autoresponder.tform.php | 10 ++ interface/web/sites/database_user_edit.php | 2 + .../web/sites/form/web_vhost_domain.tform.php | 22 +++ .../web/sites/form/webdav_user.tform.php | 6 + interface/web/sites/web_vhost_domain_edit.php | 3 + .../web/vm/form/openvz_ostemplate.tform.php | 16 +++ .../web/vm/form/openvz_template.tform.php | 22 +++ interface/web/vm/form/openvz_vm.tform.php | 10 +- interface/web/vm/openvz_vm_edit.php | 4 +- 53 files changed, 1018 insertions(+), 21 deletions(-) diff --git a/interface/web/admin/form/directive_snippets.tform.php b/interface/web/admin/form/directive_snippets.tform.php index 4d34fefb59..544cb8b855 100644 --- a/interface/web/admin/form/directive_snippets.tform.php +++ b/interface/web/admin/form/directive_snippets.tform.php @@ -71,6 +71,12 @@ $form["tabs"]['directive_snippets'] = array ( 1 => array ( 'type' => 'UNIQUE', 'errmsg'=> 'directive_snippets_name_error_unique'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/admin/form/groups.tform.php b/interface/web/admin/form/groups.tform.php index c7b3f74fdb..5bcbe6279f 100644 --- a/interface/web/admin/form/groups.tform.php +++ b/interface/web/admin/form/groups.tform.php @@ -81,6 +81,12 @@ $form["tabs"]['groups'] = array ( 'name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'regex' => '/^.{1,30}$/', 'errmsg' => 'name_err', 'default' => '', @@ -94,6 +100,10 @@ $form["tabs"]['groups'] = array ( 'description' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'regex' => '', 'errmsg' => '', 'default' => '', diff --git a/interface/web/admin/form/iptables.tform.php b/interface/web/admin/form/iptables.tform.php index 7d09ca3f5e..76d747020d 100644 --- a/interface/web/admin/form/iptables.tform.php +++ b/interface/web/admin/form/iptables.tform.php @@ -52,6 +52,12 @@ $form["tabs"]['iptables'] = array ( 'source_ip' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '', @@ -60,6 +66,12 @@ $form["tabs"]['iptables'] = array ( 'destination_ip' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '', @@ -68,6 +80,12 @@ $form["tabs"]['iptables'] = array ( 'singleport' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '', @@ -76,6 +94,12 @@ $form["tabs"]['iptables'] = array ( 'multiport' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '', @@ -84,6 +108,12 @@ $form["tabs"]['iptables'] = array ( 'state' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '', diff --git a/interface/web/admin/form/server.tform.php b/interface/web/admin/form/server.tform.php index 1bf079e1b0..95dca6c33b 100644 --- a/interface/web/admin/form/server.tform.php +++ b/interface/web/admin/form/server.tform.php @@ -61,6 +61,12 @@ $form["tabs"]['services'] = array ( 'server_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/admin/form/server_config.tform.php b/interface/web/admin/form/server_config.tform.php index 6c9e56772b..70aac48e07 100644 --- a/interface/web/admin/form/server_config.tform.php +++ b/interface/web/admin/form/server_config.tform.php @@ -145,6 +145,12 @@ $form["tabs"]['server'] = array( 'validators' => array(0 => array('type' => 'NOTEMPTY', 'errmsg' => 'nameservers_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '40', 'maxlength' => '255' @@ -316,6 +322,12 @@ $form["tabs"]['server'] = array( 'monit_user' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -344,6 +356,12 @@ $form["tabs"]['server'] = array( 'munin_user' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -426,6 +444,12 @@ $form["tabs"]['mail'] = array( 'dkim_path' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '/var/lib/amavis/dkim', 'value' => '', 'width' => '40', @@ -527,6 +551,12 @@ $form["tabs"]['mail'] = array( 'relayhost' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -535,6 +565,12 @@ $form["tabs"]['mail'] = array( 'relayhost_user' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -719,6 +755,12 @@ $form["tabs"]['web'] = array( 'website_autoalias' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -1135,6 +1177,12 @@ $form["tabs"]['web'] = array( 'validators' => array( 0 => array('type' => 'NOTEMPTY', 'errmsg' => 'htaccess_allow_override_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '40', 'maxlength' => '255' @@ -1161,6 +1209,12 @@ $form["tabs"]['web'] = array( 'validators' => array(0 => array('type' => 'NOTEMPTY', 'errmsg' => 'apps_vhost_port_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '40', 'maxlength' => '255' @@ -1172,6 +1226,12 @@ $form["tabs"]['web'] = array( 'validators' => array(0 => array('type' => 'NOTEMPTY', 'errmsg' => 'apps_vhost_ip_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '40', 'maxlength' => '255' @@ -1179,6 +1239,12 @@ $form["tabs"]['web'] = array( 'apps_vhost_servername' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -1187,6 +1253,12 @@ $form["tabs"]['web'] = array( 'awstats_conf_dir' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -1486,6 +1558,12 @@ $form["tabs"]['xmpp'] = array( 'xmpp_server_admins' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'admin@service.com, superuser@service.com', 'value' => '', 'width' => '15' @@ -1494,6 +1572,12 @@ $form["tabs"]['xmpp'] = array( 'xmpp_modules_enabled' => array( 'datatype' => 'TEXT', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => "saslauth, tls, dialback, disco, discoitems, version, uptime, time, ping, admin_adhoc, admin_telnet, bosh, posix, announce, offline, webpresence, mam, stream_management, message_carbons", 'value' => '', 'separator' => "," diff --git a/interface/web/admin/form/server_php.tform.php b/interface/web/admin/form/server_php.tform.php index d5b0c5ff73..c94bb38c01 100644 --- a/interface/web/admin/form/server_php.tform.php +++ b/interface/web/admin/form/server_php.tform.php @@ -112,6 +112,12 @@ $form["tabs"]['php_name'] = array ( 'validators' => array(0 => array('type' => 'NOTEMPTY', 'errmsg' => 'server_php_name_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -135,6 +141,12 @@ $form["tabs"]['php_fastcgi'] = array( 'php_fastcgi_binary' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -143,6 +155,12 @@ $form["tabs"]['php_fastcgi'] = array( 'php_fastcgi_ini_dir' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -165,6 +183,12 @@ $form["tabs"]['php_fpm'] = array( 'php_fpm_init_script' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -173,6 +197,12 @@ $form["tabs"]['php_fpm'] = array( 'php_fpm_ini_dir' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', @@ -181,6 +211,12 @@ $form["tabs"]['php_fpm'] = array( 'php_fpm_pool_dir' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '40', diff --git a/interface/web/admin/form/software_package.tform.php b/interface/web/admin/form/software_package.tform.php index 1db7056acc..b8368d5457 100644 --- a/interface/web/admin/form/software_package.tform.php +++ b/interface/web/admin/form/software_package.tform.php @@ -87,6 +87,12 @@ $form["tabs"]['software_package'] = array ( 'package_title' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'validators' => '', 'default' => '', 'value' => '', @@ -99,6 +105,12 @@ $form["tabs"]['software_package'] = array ( 'package_key' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'validators' => '', 'default' => '', 'value' => '', diff --git a/interface/web/admin/form/software_repo.tform.php b/interface/web/admin/form/software_repo.tform.php index 6d1c50f921..cbf68b3a35 100644 --- a/interface/web/admin/form/software_repo.tform.php +++ b/interface/web/admin/form/software_repo.tform.php @@ -92,6 +92,12 @@ $form["tabs"]['software_repo'] = array ( 1 => array ( 'type' => 'UNIQUE', 'errmsg'=> 'repo_name_unique'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -108,6 +114,12 @@ $form["tabs"]['software_repo'] = array ( 1 => array ( 'type' => 'UNIQUE', 'errmsg'=> 'repo_name_unique'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -119,6 +131,12 @@ $form["tabs"]['software_repo'] = array ( 'repo_username' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/admin/form/system_config.tform.php b/interface/web/admin/form/system_config.tform.php index 7261865796..681d166b34 100644 --- a/interface/web/admin/form/system_config.tform.php +++ b/interface/web/admin/form/system_config.tform.php @@ -282,7 +282,11 @@ $form["tabs"]['mail'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'formtype' => 'TEXT', 'default' => '', @@ -293,6 +297,12 @@ $form["tabs"]['mail'] = array ( 'admin_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -311,7 +321,11 @@ $form["tabs"]['mail'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'formtype' => 'TEXT', 'default' => '', @@ -322,6 +336,12 @@ $form["tabs"]['mail'] = array ( 'smtp_port' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '25', 'value' => '', 'width' => '30', @@ -330,6 +350,12 @@ $form["tabs"]['mail'] = array ( 'smtp_user' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -419,6 +445,10 @@ $form["tabs"]['domains'] = array ( 'new_domain_html' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '' ), @@ -463,12 +493,24 @@ $form["tabs"]['misc'] = array ( 'company_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'custom_login_text' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), @@ -485,18 +527,36 @@ $form["tabs"]['misc'] = array ( 'dashboard_atom_url_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'http://www.ispconfig.org/atom', 'value' => '' ), 'dashboard_atom_url_reseller' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'http://www.ispconfig.org/atom', 'value' => '' ), 'dashboard_atom_url_client' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'http://www.ispconfig.org/atom', 'value' => '' ), @@ -539,36 +599,72 @@ $form["tabs"]['misc'] = array ( 'admin_dashlets_left' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'admin_dashlets_right' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'reseller_dashlets_left' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'reseller_dashlets_right' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'client_dashlets_left' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), 'client_dashlets_right' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '' ), diff --git a/interface/web/admin/form/tpl_default.tform.php b/interface/web/admin/form/tpl_default.tform.php index df52bbec5f..baa84d7b30 100644 --- a/interface/web/admin/form/tpl_default.tform.php +++ b/interface/web/admin/form/tpl_default.tform.php @@ -87,6 +87,12 @@ $form["tabs"]['basic'] = array ( 'username' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'validators' => '', 'default' => 'global', 'value' => 'global', @@ -97,6 +103,12 @@ $form["tabs"]['basic'] = array ( 'logo_url' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'validators' => '', 'default' => '', 'value' => '', diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php index 10e3f3cadd..8577a1b32d 100644 --- a/interface/web/client/client_edit.php +++ b/interface/web/client/client_edit.php @@ -133,6 +133,7 @@ class page_action extends tform_actions { $tpls = $app->db->queryAllRecords($sql); $option = ''; $tpl = array(); + $tpls = $app->functions->htmlentities($tpls); foreach($tpls as $item){ $option .= ''; $tpl[$item['template_id']] = $item['template_name']; @@ -154,7 +155,7 @@ class page_action extends tform_actions { $tmp->id = $item['assigned_template_id']; $tmp->data = ''; $app->plugin->raiseEvent('get_client_template_details', $tmp); - if($tmp->data != '') $text .= '
' . $tmp->data . ''; + if($tmp->data != '') $text .= '
' . $app->functions->htmlentities($tmp->data) . ''; $text .= ''; $items[] = $item['assigned_template_id'] . ':' . $item['client_template_id']; @@ -219,6 +220,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT client.client_id, sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 AND client.limit_client != 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { diff --git a/interface/web/client/domain_edit.php b/interface/web/client/domain_edit.php index 67be43e04c..8867e29578 100644 --- a/interface/web/client/domain_edit.php +++ b/interface/web/client/domain_edit.php @@ -83,6 +83,7 @@ class page_action extends tform_actions { //$sql = "SELECT groupid, name FROM sys_group WHERE client_id > 0 ORDER BY name"; $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; if($this->id > 0) $tmp_data_record = $app->tform->getDataRecord($this->id); else $tmp_data_record = $this->dataRecord; @@ -98,11 +99,13 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); - + $client = $app->functions->htmlentities($client); + // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; //die($sql); $records = $app->db->queryAllRecords($sql, $client['client_id']); + $records = $app->functions->htmlentities($records); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/client/form/client.tform.php b/interface/web/client/form/client.tform.php index 3a8d4f2fcc..151c5dc959 100644 --- a/interface/web/client/form/client.tform.php +++ b/interface/web/client/form/client.tform.php @@ -91,6 +91,12 @@ $form["tabs"]['address'] = array ( 'company_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -119,6 +125,10 @@ $form["tabs"]['address'] = array ( 'searchable' => 1, 'filters' => array( 0 => array( 'event' => 'SAVE', 'type' => 'TRIM'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 2 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'contact_name' => array ( @@ -137,6 +147,10 @@ $form["tabs"]['address'] = array ( 'searchable' => 1, 'filters' => array( 0 => array( 'event' => 'SAVE', 'type' => 'TRIM'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 2 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'customer_no' => array ( @@ -146,6 +160,12 @@ $form["tabs"]['address'] = array ( 'errmsg'=> 'customer_no_error_unique', 'allowempty' => 'y'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -226,6 +246,12 @@ $form["tabs"]['address'] = array ( 'street' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -238,6 +264,12 @@ $form["tabs"]['address'] = array ( 'zip' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -250,6 +282,12 @@ $form["tabs"]['address'] = array ( 'city' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -262,6 +300,12 @@ $form["tabs"]['address'] = array ( 'state' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -285,6 +329,12 @@ $form["tabs"]['address'] = array ( 'telephone' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -297,6 +347,12 @@ $form["tabs"]['address'] = array ( 'mobile' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -309,6 +365,12 @@ $form["tabs"]['address'] = array ( 'fax' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -345,6 +407,12 @@ $form["tabs"]['address'] = array ( 'internet' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'http://', 'value' => '', 'separator' => '', @@ -357,6 +425,12 @@ $form["tabs"]['address'] = array ( 'icq' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -385,12 +459,22 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'company_id' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -402,6 +486,12 @@ $form["tabs"]['address'] = array ( 'bank_account_owner' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -413,6 +503,12 @@ $form["tabs"]['address'] = array ( 'bank_account_number' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -424,6 +520,12 @@ $form["tabs"]['address'] = array ( 'bank_code' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -435,6 +537,12 @@ $form["tabs"]['address'] = array ( 'bank_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -458,7 +566,11 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'bank_account_swift' => array ( @@ -476,12 +588,20 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'notes' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -538,6 +658,12 @@ $form["tabs"]['address'] = array ( 'added_by' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => $_SESSION['s']['user']['username'], 'value' => '', 'separator' => '', diff --git a/interface/web/client/form/client_circle.tform.php b/interface/web/client/form/client_circle.tform.php index 91b96b3549..64eee542d7 100644 --- a/interface/web/client/form/client_circle.tform.php +++ b/interface/web/client/form/client_circle.tform.php @@ -91,6 +91,12 @@ $form["tabs"]['circle'] = array ( 'circle_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -115,6 +121,10 @@ $form["tabs"]['circle'] = array ( 'description' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/client/form/client_template.tform.php b/interface/web/client/form/client_template.tform.php index 13e8cfbcce..5d9f81de0b 100644 --- a/interface/web/client/form/client_template.tform.php +++ b/interface/web/client/form/client_template.tform.php @@ -82,6 +82,12 @@ $form["tabs"]['template'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'error_template_name_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/client/form/message_template.tform.php b/interface/web/client/form/message_template.tform.php index 14dfea1cd0..ab2d191340 100644 --- a/interface/web/client/form/message_template.tform.php +++ b/interface/web/client/form/message_template.tform.php @@ -67,6 +67,12 @@ $form["tabs"]['template'] = array ( 'template_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -81,6 +87,12 @@ $form["tabs"]['template'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'subject_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/client/form/reseller.tform.php b/interface/web/client/form/reseller.tform.php index 903c8d8c0c..706219f76a 100644 --- a/interface/web/client/form/reseller.tform.php +++ b/interface/web/client/form/reseller.tform.php @@ -91,6 +91,12 @@ $form["tabs"]['address'] = array ( 'company_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -119,6 +125,10 @@ $form["tabs"]['address'] = array ( 'searchable' => 1, 'filters' => array( 0 => array( 'event' => 'SAVE', 'type' => 'TRIM'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 2 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'contact_name' => array ( @@ -137,6 +147,10 @@ $form["tabs"]['address'] = array ( 'searchable' => 1, 'filters' => array( 0 => array( 'event' => 'SAVE', 'type' => 'TRIM'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 2 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'customer_no' => array ( @@ -146,6 +160,12 @@ $form["tabs"]['address'] = array ( 'errmsg'=> 'customer_no_error_unique', 'allowempty' => 'y'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -226,6 +246,12 @@ $form["tabs"]['address'] = array ( 'street' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -238,6 +264,12 @@ $form["tabs"]['address'] = array ( 'zip' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -250,6 +282,12 @@ $form["tabs"]['address'] = array ( 'city' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -262,6 +300,12 @@ $form["tabs"]['address'] = array ( 'state' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -286,6 +330,12 @@ $form["tabs"]['address'] = array ( 'telephone' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -298,6 +348,12 @@ $form["tabs"]['address'] = array ( 'mobile' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -310,6 +366,12 @@ $form["tabs"]['address'] = array ( 'fax' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -343,6 +405,12 @@ $form["tabs"]['address'] = array ( 'internet' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'http://', 'value' => '', 'separator' => '', @@ -355,6 +423,12 @@ $form["tabs"]['address'] = array ( 'icq' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -383,12 +457,22 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'company_id' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -400,6 +484,12 @@ $form["tabs"]['address'] = array ( 'bank_account_owner' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -411,6 +501,12 @@ $form["tabs"]['address'] = array ( 'bank_account_number' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -422,6 +518,12 @@ $form["tabs"]['address'] = array ( 'bank_code' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -433,6 +535,12 @@ $form["tabs"]['address'] = array ( 'bank_name' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -456,7 +564,11 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'bank_account_swift' => array ( @@ -474,12 +586,20 @@ $form["tabs"]['address'] = array ( 1 => array( 'event' => 'SAVE', 'type' => 'TOUPPER'), 2 => array( 'event' => 'SAVE', - 'type' => 'NOWHITESPACE') + 'type' => 'NOWHITESPACE'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), ), 'notes' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', @@ -536,6 +656,12 @@ $form["tabs"]['address'] = array ( 'added_by' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => $_SESSION['s']['user']['username'], 'value' => '', 'separator' => '', diff --git a/interface/web/client/reseller_edit.php b/interface/web/client/reseller_edit.php index 8ab091ef4d..7a84be5253 100644 --- a/interface/web/client/reseller_edit.php +++ b/interface/web/client/reseller_edit.php @@ -127,6 +127,7 @@ class page_action extends tform_actions { $tpls = $app->db->queryAllRecords($sql); $option = ''; $tpl = array(); + $tpls = $app->functions->htmlentities($tpls); foreach($tpls as $item){ $option .= ''; $tpl[$item['template_id']] = $item['template_name']; @@ -148,7 +149,7 @@ class page_action extends tform_actions { $tmp->id = $item['assigned_template_id']; $tmp->data = ''; $app->plugin->raiseEvent('get_client_template_details', $tmp); - if($tmp->data != '') $text .= '
' . $tmp->data . ''; + if($tmp->data != '') $text .= '
' . $app->functions->htmlentities($tmp->data) . ''; $text .= ''; $items[] = $item['assigned_template_id'] . ':' . $item['client_template_id']; diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php index 814db71db8..fb66b7b176 100644 --- a/interface/web/dns/dns_import.php +++ b/interface/web/dns/dns_import.php @@ -102,6 +102,7 @@ if($_SESSION['s']['user']['typ'] == 'admin') { // load the list of clients $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; if(is_array($clients)) { @@ -119,11 +120,12 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); - + $client = $app->functions->htmlentities($client); // load the list of clients $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; if(is_array($clients)) { diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php index 44103608eb..4d588ef8e0 100644 --- a/interface/web/dns/dns_slave_edit.php +++ b/interface/web/dns/dns_slave_edit.php @@ -85,6 +85,7 @@ class page_action extends tform_actions { // Getting Domains of the user $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -100,10 +101,12 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT client.client_id, sys_group.name, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); + $client = $app->functions->htmlentities($client); // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index 8997146bb6..6faefac390 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -107,6 +107,7 @@ class page_action extends tform_actions { // Getting Domains of the user $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -122,10 +123,12 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); - + $client = $app->functions->htmlentities($client); + // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index e163e4eeab..0e955bee09 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -102,6 +102,7 @@ if($_SESSION['s']['user']['typ'] == 'admin') { // load the list of clients $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; if(is_array($clients)) { @@ -120,12 +121,13 @@ if ($_SESSION["s"]["user"]["typ"] != 'admin' && $app->auth->has_clients($_SESSIO // Get the limits of the client $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); - + $client = $app->functions->htmlentities($client); if ($domains_settings['use_domain_module'] != 'y') { // load the list of clients $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; if(is_array($clients)) { diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php index d76c403447..910b2e6bb3 100644 --- a/interface/web/dns/form/dns_soa.tform.php +++ b/interface/web/dns/form/dns_soa.tform.php @@ -253,6 +253,12 @@ $form["tabs"]['dns_soa'] = array ( 'update_acl' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -273,6 +279,10 @@ $form["tabs"]['dns_soa'] = array ( 'dnssec_info' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/help/form/faq_sections.tform.php b/interface/web/help/form/faq_sections.tform.php index 1a1076876e..86c9520f15 100644 --- a/interface/web/help/form/faq_sections.tform.php +++ b/interface/web/help/form/faq_sections.tform.php @@ -63,6 +63,12 @@ $form['tabs']['message'] = array( 'errmsg'=> 'subject_is_empty' ), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/help/form/support_message.tform.php b/interface/web/help/form/support_message.tform.php index d80cc15815..caf1a010c6 100644 --- a/interface/web/help/form/support_message.tform.php +++ b/interface/web/help/form/support_message.tform.php @@ -100,6 +100,12 @@ $form["tabs"]['message'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'subject_is_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => $sm_default_subject, 'value' => '', 'width' => '30', @@ -111,6 +117,10 @@ $form["tabs"]['message'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'message_is_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', diff --git a/interface/web/mail/form/mail_aliasdomain.tform.php b/interface/web/mail/form/mail_aliasdomain.tform.php index 64c5992483..66db01e5aa 100644 --- a/interface/web/mail/form/mail_aliasdomain.tform.php +++ b/interface/web/mail/form/mail_aliasdomain.tform.php @@ -103,7 +103,11 @@ $form["tabs"]['alias'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'default' => '', 'value' => '', diff --git a/interface/web/mail/form/mail_blacklist.tform.php b/interface/web/mail/form/mail_blacklist.tform.php index f0b35d21ce..8b268147fb 100644 --- a/interface/web/mail/form/mail_blacklist.tform.php +++ b/interface/web/mail/form/mail_blacklist.tform.php @@ -76,6 +76,12 @@ $form["tabs"]['blacklist'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'source_error_notempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '30', 'maxlength' => '255' diff --git a/interface/web/mail/form/mail_forward.tform.php b/interface/web/mail/form/mail_forward.tform.php index 3c891506b9..260d953982 100644 --- a/interface/web/mail/form/mail_forward.tform.php +++ b/interface/web/mail/form/mail_forward.tform.php @@ -98,7 +98,11 @@ $form["tabs"]['forward'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'default' => '', 'value' => '', diff --git a/interface/web/mail/form/mail_get.tform.php b/interface/web/mail/form/mail_get.tform.php index 4521e40028..9f7de76e01 100644 --- a/interface/web/mail/form/mail_get.tform.php +++ b/interface/web/mail/form/mail_get.tform.php @@ -109,6 +109,12 @@ $form["tabs"]['mailget'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'source_username_error_isempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/mail_mailinglist.tform.php b/interface/web/mail/form/mail_mailinglist.tform.php index 24c4f003c9..ba877f410c 100644 --- a/interface/web/mail/form/mail_mailinglist.tform.php +++ b/interface/web/mail/form/mail_mailinglist.tform.php @@ -104,6 +104,12 @@ $form["tabs"]['mailinglist'] = array ( 1 => array ( 'type' => 'UNIQUE', 'errmsg'=> 'listname_error_unique'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/mail_relay_recipient.tform.php b/interface/web/mail/form/mail_relay_recipient.tform.php index 4c5b2b1db1..34c23861e4 100644 --- a/interface/web/mail/form/mail_relay_recipient.tform.php +++ b/interface/web/mail/form/mail_relay_recipient.tform.php @@ -76,6 +76,12 @@ $form["tabs"]['relay_recipient'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'source_error_notempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '30', 'maxlength' => '255' @@ -83,6 +89,12 @@ $form["tabs"]['relay_recipient'] = array ( 'access' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'OK', 'value' => 'OK', 'width' => '30', diff --git a/interface/web/mail/form/mail_spamfilter.tform.php b/interface/web/mail/form/mail_spamfilter.tform.php index fe3f6c0f26..fb9a3c311b 100644 --- a/interface/web/mail/form/mail_spamfilter.tform.php +++ b/interface/web/mail/form/mail_spamfilter.tform.php @@ -108,6 +108,12 @@ $form["tabs"]['spamfilter'] = array ( 'spam_rewrite_subject' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '***SPAM***', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/mail_transport.tform.php b/interface/web/mail/form/mail_transport.tform.php index 000584246b..ee3c52b447 100644 --- a/interface/web/mail/form/mail_transport.tform.php +++ b/interface/web/mail/form/mail_transport.tform.php @@ -82,7 +82,11 @@ $form["tabs"]['transport'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'default' => '', 'value' => '', @@ -93,6 +97,12 @@ $form["tabs"]['transport'] = array ( 'transport' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/mail_user.tform.php b/interface/web/mail/form/mail_user.tform.php index 3d2b66daac..631c507f90 100644 --- a/interface/web/mail/form/mail_user.tform.php +++ b/interface/web/mail/form/mail_user.tform.php @@ -211,6 +211,12 @@ $form["tabs"]['mailuser'] = array( 'maildir' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -219,6 +225,12 @@ $form["tabs"]['mailuser'] = array( 'maildir_format' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -227,6 +239,12 @@ $form["tabs"]['mailuser'] = array( 'homedir' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -310,6 +328,12 @@ if ($global_config['mail']['mailbox_show_autoresponder_tab'] === 'y') { 'autoresponder_subject' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'Out of office reply', 'value' => '', 'width' => '30', @@ -318,6 +342,10 @@ if ($global_config['mail']['mailbox_show_autoresponder_tab'] === 'y') { 'autoresponder_text' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', diff --git a/interface/web/mail/form/mail_user_filter.tform.php b/interface/web/mail/form/mail_user_filter.tform.php index d5f6a0ab5b..becb09351e 100644 --- a/interface/web/mail/form/mail_user_filter.tform.php +++ b/interface/web/mail/form/mail_user_filter.tform.php @@ -73,6 +73,12 @@ $form["tabs"]['filter'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'rulename_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -97,6 +103,10 @@ $form["tabs"]['filter'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'searchterm_is_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/mail_whitelist.tform.php b/interface/web/mail/form/mail_whitelist.tform.php index ce8f954e5b..00fc971647 100644 --- a/interface/web/mail/form/mail_whitelist.tform.php +++ b/interface/web/mail/form/mail_whitelist.tform.php @@ -76,6 +76,12 @@ $form["tabs"]['whitelist'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'source_error_notempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '30', 'maxlength' => '255' @@ -83,6 +89,12 @@ $form["tabs"]['whitelist'] = array ( 'access' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'OK', 'value' => 'OK', 'width' => '30', diff --git a/interface/web/mail/form/spamfilter_blacklist.tform.php b/interface/web/mail/form/spamfilter_blacklist.tform.php index a6637473eb..3514eed434 100644 --- a/interface/web/mail/form/spamfilter_blacklist.tform.php +++ b/interface/web/mail/form/spamfilter_blacklist.tform.php @@ -72,6 +72,12 @@ $form["tabs"]['blacklist'] = array ( 'wb' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'B', 'value' => array('W' => 'blacklist', 'B' => 'Blacklist') ), @@ -90,6 +96,17 @@ $form["tabs"]['blacklist'] = array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', 'default' => '', + 'filters' => array( 0 => array( 'event' => 'SAVE', + 'type' => 'IDNTOASCII'), + 1 => array( 'event' => 'SHOW', + 'type' => 'IDNTOUTF8'), + 2 => array( 'event' => 'SAVE', + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'email_error_notempty'), ), diff --git a/interface/web/mail/form/spamfilter_policy.tform.php b/interface/web/mail/form/spamfilter_policy.tform.php index da63732c80..31e8b8092a 100644 --- a/interface/web/mail/form/spamfilter_policy.tform.php +++ b/interface/web/mail/form/spamfilter_policy.tform.php @@ -65,6 +65,12 @@ $form["tabs"]['policy'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'policyname_error_notempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '30', 'maxlength' => '255' @@ -129,6 +135,12 @@ $form["tabs"]['quarantine'] = array ( 'virus_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -137,6 +149,12 @@ $form["tabs"]['quarantine'] = array ( 'spam_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -145,6 +163,12 @@ $form["tabs"]['quarantine'] = array ( 'banned_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -153,6 +177,12 @@ $form["tabs"]['quarantine'] = array ( 'bad_header_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -161,6 +191,12 @@ $form["tabs"]['quarantine'] = array ( 'clean_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -169,6 +205,12 @@ $form["tabs"]['quarantine'] = array ( 'other_quarantine_to' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -237,6 +279,12 @@ $form["tabs"]['taglevel'] = array ( 'spam_subject_tag' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -245,6 +293,12 @@ $form["tabs"]['taglevel'] = array ( 'spam_subject_tag2' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -268,6 +322,12 @@ $form["tabs"]['other'] = array ( 'addr_extension_virus' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -276,6 +336,12 @@ $form["tabs"]['other'] = array ( 'addr_extension_spam' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -284,6 +350,12 @@ $form["tabs"]['other'] = array ( 'addr_extension_banned' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -292,6 +364,12 @@ $form["tabs"]['other'] = array ( 'addr_extension_bad_header' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -318,6 +396,12 @@ $form["tabs"]['other'] = array ( 'newvirus_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -326,6 +410,12 @@ $form["tabs"]['other'] = array ( 'virus_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -334,6 +424,12 @@ $form["tabs"]['other'] = array ( 'banned_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -342,6 +438,12 @@ $form["tabs"]['other'] = array ( 'bad_header_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -350,6 +452,12 @@ $form["tabs"]['other'] = array ( 'spam_admin' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -367,6 +475,12 @@ $form["tabs"]['other'] = array ( 'banned_rulenames' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/mail/form/spamfilter_users.tform.php b/interface/web/mail/form/spamfilter_users.tform.php index 0eba0bbefb..1ed9e54b0d 100644 --- a/interface/web/mail/form/spamfilter_users.tform.php +++ b/interface/web/mail/form/spamfilter_users.tform.php @@ -91,7 +91,11 @@ $form["tabs"]['users'] = array ( 'formtype' => 'TEXT', 'default' => '', 'filters' => array( 0 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 2 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'email_error_notempty'), @@ -107,6 +111,12 @@ $form["tabs"]['users'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'fullname_error_notempty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'value' => '', 'width' => '30', 'maxlength' => '255' diff --git a/interface/web/mail/form/spamfilter_whitelist.tform.php b/interface/web/mail/form/spamfilter_whitelist.tform.php index 5f8a176be7..f0802fa491 100644 --- a/interface/web/mail/form/spamfilter_whitelist.tform.php +++ b/interface/web/mail/form/spamfilter_whitelist.tform.php @@ -72,6 +72,12 @@ $form["tabs"]['whitelist'] = array ( 'wb' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'W', 'value' => array('W' => 'Whitelist', 'B' => 'Blacklist') ), @@ -95,7 +101,11 @@ $form["tabs"]['whitelist'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'email_error_notempty'), diff --git a/interface/web/mail/form/xmpp_domain.tform.php b/interface/web/mail/form/xmpp_domain.tform.php index 095c72fba2..bbe694f9fd 100644 --- a/interface/web/mail/form/xmpp_domain.tform.php +++ b/interface/web/mail/form/xmpp_domain.tform.php @@ -139,12 +139,22 @@ $form["tabs"]['domain'] = array ( 'registration_message' => array( 'datatype' => 'TEXT', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => "", 'value' => '' ), 'domain_admins' => array( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '15', diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php index ad383c474b..7565752bd3 100644 --- a/interface/web/mail/mail_domain_edit.php +++ b/interface/web/mail/mail_domain_edit.php @@ -80,6 +80,7 @@ class page_action extends tform_actions { $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -96,6 +97,7 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.default_mailserver, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by client.contact_name", $client_group_id); + $client = $app->functions->htmlentities($client); // Set the mailserver to the default server of the client $tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']); @@ -106,6 +108,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php index 5515670734..1419627529 100644 --- a/interface/web/mail/mail_mailinglist_edit.php +++ b/interface/web/mail/mail_mailinglist_edit.php @@ -74,6 +74,7 @@ class page_action extends tform_actions { // Getting Clients of the user $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; $tmp_data_record = $app->tform->getDataRecord($this->id); @@ -90,10 +91,12 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.default_mailserver, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by contact_name", $client_group_id); + $client = $app->functions->htmlentities($client); // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; $tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php index ec5a5fc11b..3913201114 100644 --- a/interface/web/mail/xmpp_domain_edit.php +++ b/interface/web/mail/xmpp_domain_edit.php @@ -108,6 +108,7 @@ class page_action extends tform_actions { $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ''; if($_SESSION["s"]["user"]["typ"] == 'admin') $client_select .= ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -124,11 +125,13 @@ class page_action extends tform_actions { // Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ? order by client.contact_name", $client_group_id); + $client = $app->functions->htmlentities($client); if ($settings['use_domain_module'] != 'y') { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql, $client['client_id']); + $clients = $app->functions->htmlentities($clients); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); diff --git a/interface/web/mailuser/form/mail_user_autoresponder.tform.php b/interface/web/mailuser/form/mail_user_autoresponder.tform.php index 44ce15cd5c..e642534c13 100644 --- a/interface/web/mailuser/form/mail_user_autoresponder.tform.php +++ b/interface/web/mailuser/form/mail_user_autoresponder.tform.php @@ -62,6 +62,12 @@ $form["tabs"]['autoresponder'] = array ( 'autoresponder_subject' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => 'Out of office reply', 'value' => '', 'width' => '30', @@ -70,6 +76,10 @@ $form["tabs"]['autoresponder'] = array ( 'autoresponder_text' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php index 5224cc50a8..e7bfa611a9 100644 --- a/interface/web/sites/database_user_edit.php +++ b/interface/web/sites/database_user_edit.php @@ -87,6 +87,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $records = $app->db->queryAllRecords($sql, $client['client_id']); + $records = $app->functions->htmlentities($records); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -101,6 +102,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php index 4b709eeda4..071efbb9a9 100644 --- a/interface/web/sites/form/web_vhost_domain.tform.php +++ b/interface/web/sites/form/web_vhost_domain.tform.php @@ -520,6 +520,12 @@ if($ssl_available) { 'ssl_domain' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -528,6 +534,10 @@ if($ssl_available) { 'ssl_key' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', @@ -536,6 +546,10 @@ if($ssl_available) { 'ssl_request' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', @@ -544,6 +558,10 @@ if($ssl_available) { 'ssl_cert' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', @@ -552,6 +570,10 @@ if($ssl_available) { 'ssl_bundle' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'cols' => '30', diff --git a/interface/web/sites/form/webdav_user.tform.php b/interface/web/sites/form/webdav_user.tform.php index a1bfd3056d..8d5c0c561f 100644 --- a/interface/web/sites/form/webdav_user.tform.php +++ b/interface/web/sites/form/webdav_user.tform.php @@ -130,6 +130,12 @@ $form["tabs"]['webdav'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'directory_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php index 82cf226a37..023f8db0c5 100644 --- a/interface/web/sites/web_vhost_domain_edit.php +++ b/interface/web/sites/web_vhost_domain_edit.php @@ -290,6 +290,7 @@ class page_action extends tform_actions { } elseif($this->_vhostdomain_type == 'aliasdomain') { $client = $app->db->queryOneRecord("SELECT client.client_id, client.limit_web_aliasdomain, client.web_servers, client.default_webserver, client.contact_name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name, client." . implode(", client.", $read_limits) . " FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); } + $client = $app->functions->htmlentities($client); $client['web_servers_ids'] = explode(',', $client['web_servers']); $only_one_server = count($client['web_servers_ids']) === 1; @@ -326,6 +327,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $records = $app->db->queryAllRecords($sql, $client['client_id']); + $records = $app->functions->htmlentities($records); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -585,6 +587,7 @@ class page_action extends tform_actions { // Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { diff --git a/interface/web/vm/form/openvz_ostemplate.tform.php b/interface/web/vm/form/openvz_ostemplate.tform.php index 07eeafef0f..a28bbc6ade 100644 --- a/interface/web/vm/form/openvz_ostemplate.tform.php +++ b/interface/web/vm/form/openvz_ostemplate.tform.php @@ -69,6 +69,12 @@ $form["tabs"]['main'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'template_name_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -81,6 +87,12 @@ $form["tabs"]['main'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'template_file_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -113,6 +125,10 @@ $form["tabs"]['main'] = array ( 'description' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/vm/form/openvz_template.tform.php b/interface/web/vm/form/openvz_template.tform.php index 8279ce085c..1a069361cb 100644 --- a/interface/web/vm/form/openvz_template.tform.php +++ b/interface/web/vm/form/openvz_template.tform.php @@ -69,6 +69,12 @@ $form["tabs"]['main'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'template_name_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -155,6 +161,12 @@ $form["tabs"]['main'] = array ( 'hostname' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', @@ -172,6 +184,12 @@ $form["tabs"]['main'] = array ( 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'template_nameserver_error_empty'), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '8.8.8.8 8.8.4.4', 'value' => '', 'width' => '30', @@ -187,6 +205,10 @@ $form["tabs"]['main'] = array ( 'description' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/vm/form/openvz_vm.tform.php b/interface/web/vm/form/openvz_vm.tform.php index 44f20dc6ec..fe61e27c45 100644 --- a/interface/web/vm/form/openvz_vm.tform.php +++ b/interface/web/vm/form/openvz_vm.tform.php @@ -122,7 +122,11 @@ $form["tabs"]['main'] = array ( 1 => array( 'event' => 'SHOW', 'type' => 'IDNTOUTF8'), 2 => array( 'event' => 'SAVE', - 'type' => 'TOLOWER') + 'type' => 'TOLOWER'), + 3 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 4 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') ), 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'hostname_error_empty'), @@ -178,6 +182,10 @@ $form["tabs"]['main'] = array ( 'description' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS') + ), 'default' => '', 'value' => '', 'separator' => '', diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php index 69265885cd..2a5b12f3d7 100644 --- a/interface/web/vm/openvz_vm_edit.php +++ b/interface/web/vm/openvz_vm_edit.php @@ -97,11 +97,12 @@ class page_action extends tform_actions { //* Get the limits of the client $client_group_id = $_SESSION["s"]["user"]["default_group"]; $client = $app->db->queryOneRecord("SELECT client.client_id, client.contact_name, client.limit_openvz_vm_template_id, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname, sys_group.name FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); - + $client = $app->functions->htmlentities($client); //* Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND client.parent_client_id = ? ORDER BY client.company_name, client.contact_name, sys_group.name"; $records = $app->db->queryAllRecords($sql, $client['client_id']); + $records = $app->functions->htmlentities($records); $tmp = $app->db->queryOneRecord("SELECT groupid FROM sys_group WHERE client_id = ?", $client['client_id']); $client_select = ''; //$tmp_data_record = $app->tform->getDataRecord($this->id); @@ -134,6 +135,7 @@ class page_action extends tform_actions { //* Fill the client select field $sql = "SELECT sys_group.groupid, sys_group.name, CONCAT(IF(client.company_name != '', CONCAT(client.company_name, ' :: '), ''), client.contact_name, ' (', client.username, IF(client.customer_no != '', CONCAT(', ', client.customer_no), ''), ')') as contactname FROM sys_group, client WHERE sys_group.client_id = client.client_id AND sys_group.client_id > 0 ORDER BY client.company_name, client.contact_name, sys_group.name"; $clients = $app->db->queryAllRecords($sql); + $clients = $app->functions->htmlentities($clients); $client_select = ""; //$tmp_data_record = $app->tform->getDataRecord($this->id); if(is_array($clients)) { -- GitLab