Commit 3aecfb44 authored by Kenneth Hall's avatar Kenneth Hall

Merge branch 'issue#3812' into 'develop'

fix xss vulnerability

Closes #3812

See merge request ninja-forms/ninja-forms!3720
parents c5624a6d e1620360
......@@ -74,8 +74,8 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
unset( $views[ 'mine' ] );
unset( $views[ 'publish' ] );
// If the Form ID is not empty...
if( ! empty( $_GET[ 'form_id' ] ) ) {
// If the Form ID is not empty and IS a number...
if( ! empty( $_GET[ 'form_id' ] ) && ctype_digit( $_GET[ 'form_id' ] ) ) {
// ...populate the rest of the query string.
$form_id = '&form_id=' . $_GET[ 'form_id' ] . '&nf_form_filter&paged=1';
} else {
......@@ -140,7 +140,8 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
*/
public function change_columns()
{
$form_id = ( isset( $_GET['form_id'] ) ) ? $_GET['form_id'] : FALSE;
// if the form_id isset and ID a number
$form_id = ( isset( $_GET['form_id'] ) && ctype_digit( $_GET[ 'form_id' ] ) ) ? $_GET['form_id'] : FALSE;
if( ! $form_id ) return array();
......@@ -237,20 +238,36 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
$form_options = apply_filters( 'ninja_forms_submission_filter_form_options', $form_options );
asort($form_options);
if( isset( $_GET[ 'form_id' ] ) ) {
// make sure form_id isset and is a number
if( isset( $_GET[ 'form_id' ] ) && ctype_digit( $_GET[ 'form_id' ] ) ) {
$form_selected = $_GET[ 'form_id' ];
} else {
$form_selected = 0;
}
if( isset( $_GET[ 'begin_date' ] ) ) {
$begin_date = $_GET[ 'begin_date' ];
// check for bad characters(possible xss vulnerability)
$beg_date_sep = preg_replace('/[0-9]+/', '', $_GET[ 'begin_date' ]);
if ( 1 !== count( array_unique( str_split( $beg_date_sep ) ) ) ) {// We got bad data.
$begin_date = '';
} else {
$begin_date = $_GET[ 'begin_date' ];
}
} else {
$begin_date = '';
}
if( isset( $_GET[ 'end_date' ] ) ) {
$end_date = $_GET[ 'end_date' ];
// check for bad characters(possible xss vulnerability)
$end_date_sep = preg_replace('/[0-9]+/', '', $_GET[ 'end_date' ]);
if ( 1 !== count( array_unique( str_split( $end_date_sep ) ) ) ) {// We got bad data.
$end_date = '';
} else {
$end_date = $_GET[ 'end_date' ];
}
} else {
$end_date = '';
}
......@@ -269,7 +286,8 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
$vars = &$query->query_vars;
$form_id = ( ! empty( $_GET['form_id'] ) ) ? $_GET['form_id'] : 0;
// make sure form_id is not empty and is a number
$form_id = ( ! empty( $_GET['form_id'] ) && ctype_digit( $_GET[ 'form_id' ] ) ) ? $_GET['form_id'] : 0;
$vars = $this->table_filter_by_form( $vars, $form_id );
......@@ -381,7 +399,7 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
$sub_ids = WPN_Helper::esc_html($_REQUEST['post']);
}
Ninja_Forms()->form( $_REQUEST['form_id'] )->export_subs( $sub_ids );
Ninja_Forms()->form( absint( $_REQUEST['form_id'] ) )->export_subs( $sub_ids );
}
if (isset ($_REQUEST['download_file']) && !empty($_REQUEST['download_file'])) {
......@@ -502,7 +520,7 @@ final class NF_Admin_Menus_Submissions extends NF_Abstracts_Submenu
// Include submissions on the end_date.
$end_date = date( 'm/d/Y', strtotime( '+1 day', strtotime( $end_date ) ) );
if ( ! isset ( $vars['date_query'] ) ) {
$vars['date_query'] = array(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment