Loading data_custom/get_member_tooltip.php +4 −1 Original line number Diff line number Diff line Loading @@ -43,11 +43,14 @@ require_code('cns_members2'); $member_id = $GLOBALS['FORUM_DRIVER']->get_member_from_username(get_param_string('member', '')); require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<' . '?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; echo '<![CDATA['; $box = render_member_box($member_id, false, null, null, true, null, false); $box->evaluate_echo(); // '' will be returned if member ID is invalid. echo escape_cdata($box->evaluate()); // '' will be returned if member ID is invalid. echo ']]>'; echo '</result></request>'; sources/ajax.php +13 −6 Original line number Diff line number Diff line Loading @@ -60,6 +60,7 @@ function crossdomain_script() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<' . '?xml version="1.0"?' . '> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> Loading Loading @@ -141,7 +142,10 @@ function namelike_script() safe_ini_set('ocproducts.xss_detect', '0'); require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; Loading Loading @@ -178,7 +182,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } elseif ($special == 'search') { if (addon_installed('search')) { Loading @@ -189,7 +193,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { if ((strlen($id) == 0) && (addon_installed('chat'))) { Loading @@ -203,7 +207,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { $names = array(); Loading @@ -214,7 +218,7 @@ function namelike_script() $names = collapse_1d_complexity('author', $rows); foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { if ((!addon_installed('authors')) || ($special != 'author') || ($GLOBALS['FORUM_DRIVER']->get_members() < 5000)) { Loading @@ -231,7 +235,7 @@ function namelike_script() } foreach ($names as $member_id => $name) { echo '<option value="' . escape_html($name) . '" displayname="' . escape_html($GLOBALS['FORUM_DRIVER']->get_username($member_id, true)) . '" />'; echo '<option value="' . xmlentities($name) . '" displayname="' . xmlentities($GLOBALS['FORUM_DRIVER']->get_username($member_id, true)) . '" />'; } } } Loading Loading @@ -325,7 +329,8 @@ function retrieve_autosave() { prepare_for_known_ajax_response(); header('Content-type: text/xml; charset=' . get_charset()); header('Content-Type: text/xml; charset=' . get_charset()); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $member_id = get_member(); $stem = either_param_string('stem'); Loading @@ -333,6 +338,7 @@ function retrieve_autosave() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>' . "\n"; Loading Loading @@ -484,6 +490,7 @@ function ajax_tree_script() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $hook = filter_naughty_harsh(get_param_string('hook')); require_code('hooks/systems/ajax_tree/' . $hook, true); $object = object_factory('Hook_' . $hook, true); Loading sources/comcode_tools.php +1 −0 Original line number Diff line number Diff line Loading @@ -185,6 +185,7 @@ function comcode_convert_script() } header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; echo xmlentities($out); Loading sources/commandr.php +4 −2 Original line number Diff line number Diff line Loading @@ -141,7 +141,8 @@ function commandr_script() } @header('HTTP/1.0 200 Ok'); @header('Content-type: text/xml; charset=' . get_charset()); @header('Content-Type: text/xml; charset=' . get_charset()); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $output = '<' . '?xml version="1.0" encoding="' . get_charset() . '" ?' . '> <response> <result> Loading Loading @@ -278,6 +279,7 @@ class Virtual_shell } header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML header('HTTP/1.0 200 Ok'); if (is_object($this->output[STREAM_STDCOMMAND])) { Loading Loading @@ -1431,7 +1433,7 @@ function get_queued_messages($xml = true) if (is_object($object_values[2])) { $object_values[2] = $object_values[2]->evaluate(); } $output .= '<notification section="' . escape_html($object_values[0]) . '" type="' . escape_html($object_values[1]) . '">' . $object_values[2] . '</notification>'; $output .= '<notification section="' . xmlentities($object_values[0]) . '" type="' . xmlentities($object_values[1]) . '">' . $object_values[2] . '</notification>'; } else { $output->attach(do_template('COMMANDR_NOTIFICATION', array('_GUID' => '0254d84dfbb2ce7b7410bdc0c2989833', 'SECTION' => $object_values[0], 'TYPE' => $object_values[1], 'NOTIFICATION_CONTENT' => $object_values[2]))); } Loading sources/database_search.php +1 −0 Original line number Diff line number Diff line Loading @@ -835,6 +835,7 @@ function opensearch_script() default: //header('Content-Type: application/opensearchdescription+xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $tpl = do_template('OPENSEARCH', array('_GUID' => '1fe46743805ade5958dcba0d58c4b0f2', 'DESCRIPTION' => get_option('description')), null, false, null, '.xml', 'xml'); $tpl->evaluate_echo(); break; Loading Loading
data_custom/get_member_tooltip.php +4 −1 Original line number Diff line number Diff line Loading @@ -43,11 +43,14 @@ require_code('cns_members2'); $member_id = $GLOBALS['FORUM_DRIVER']->get_member_from_username(get_param_string('member', '')); require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<' . '?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; echo '<![CDATA['; $box = render_member_box($member_id, false, null, null, true, null, false); $box->evaluate_echo(); // '' will be returned if member ID is invalid. echo escape_cdata($box->evaluate()); // '' will be returned if member ID is invalid. echo ']]>'; echo '</result></request>';
sources/ajax.php +13 −6 Original line number Diff line number Diff line Loading @@ -60,6 +60,7 @@ function crossdomain_script() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<' . '?xml version="1.0"?' . '> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> Loading Loading @@ -141,7 +142,10 @@ function namelike_script() safe_ini_set('ocproducts.xss_detect', '0'); require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; Loading Loading @@ -178,7 +182,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } elseif ($special == 'search') { if (addon_installed('search')) { Loading @@ -189,7 +193,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { if ((strlen($id) == 0) && (addon_installed('chat'))) { Loading @@ -203,7 +207,7 @@ function namelike_script() } foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { $names = array(); Loading @@ -214,7 +218,7 @@ function namelike_script() $names = collapse_1d_complexity('author', $rows); foreach ($names as $name) { echo '<option value="' . escape_html($name) . '" displayname="" />'; echo '<option value="' . xmlentities($name) . '" displayname="" />'; } } else { if ((!addon_installed('authors')) || ($special != 'author') || ($GLOBALS['FORUM_DRIVER']->get_members() < 5000)) { Loading @@ -231,7 +235,7 @@ function namelike_script() } foreach ($names as $member_id => $name) { echo '<option value="' . escape_html($name) . '" displayname="' . escape_html($GLOBALS['FORUM_DRIVER']->get_username($member_id, true)) . '" />'; echo '<option value="' . xmlentities($name) . '" displayname="' . xmlentities($GLOBALS['FORUM_DRIVER']->get_username($member_id, true)) . '" />'; } } } Loading Loading @@ -325,7 +329,8 @@ function retrieve_autosave() { prepare_for_known_ajax_response(); header('Content-type: text/xml; charset=' . get_charset()); header('Content-Type: text/xml; charset=' . get_charset()); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $member_id = get_member(); $stem = either_param_string('stem'); Loading @@ -333,6 +338,7 @@ function retrieve_autosave() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>' . "\n"; Loading Loading @@ -484,6 +490,7 @@ function ajax_tree_script() require_code('xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $hook = filter_naughty_harsh(get_param_string('hook')); require_code('hooks/systems/ajax_tree/' . $hook, true); $object = object_factory('Hook_' . $hook, true); Loading
sources/comcode_tools.php +1 −0 Original line number Diff line number Diff line Loading @@ -185,6 +185,7 @@ function comcode_convert_script() } header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML echo '<?xml version="1.0" encoding="' . get_charset() . '"?' . '>'; echo '<request><result>'; echo xmlentities($out); Loading
sources/commandr.php +4 −2 Original line number Diff line number Diff line Loading @@ -141,7 +141,8 @@ function commandr_script() } @header('HTTP/1.0 200 Ok'); @header('Content-type: text/xml; charset=' . get_charset()); @header('Content-Type: text/xml; charset=' . get_charset()); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $output = '<' . '?xml version="1.0" encoding="' . get_charset() . '" ?' . '> <response> <result> Loading Loading @@ -278,6 +279,7 @@ class Virtual_shell } header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML header('HTTP/1.0 200 Ok'); if (is_object($this->output[STREAM_STDCOMMAND])) { Loading Loading @@ -1431,7 +1433,7 @@ function get_queued_messages($xml = true) if (is_object($object_values[2])) { $object_values[2] = $object_values[2]->evaluate(); } $output .= '<notification section="' . escape_html($object_values[0]) . '" type="' . escape_html($object_values[1]) . '">' . $object_values[2] . '</notification>'; $output .= '<notification section="' . xmlentities($object_values[0]) . '" type="' . xmlentities($object_values[1]) . '">' . $object_values[2] . '</notification>'; } else { $output->attach(do_template('COMMANDR_NOTIFICATION', array('_GUID' => '0254d84dfbb2ce7b7410bdc0c2989833', 'SECTION' => $object_values[0], 'TYPE' => $object_values[1], 'NOTIFICATION_CONTENT' => $object_values[2]))); } Loading
sources/database_search.php +1 −0 Original line number Diff line number Diff line Loading @@ -835,6 +835,7 @@ function opensearch_script() default: //header('Content-Type: application/opensearchdescription+xml'); header('Content-Type: text/xml'); header("Content-Security-Policy: default-src 'none'"); // Don't allow special execution via a vector of namespace-injected HTML $tpl = do_template('OPENSEARCH', array('_GUID' => '1fe46743805ade5958dcba0d58c4b0f2', 'DESCRIPTION' => get_option('description')), null, false, null, '.xml', 'xml'); $tpl->evaluate_echo(); break; Loading
