mirror of
https://github.com/Mibew/mibew.git
synced 2025-02-24 15:24:33 +03:00
Fix multiple XSS (thanks to adsec2s)
This commit is contained in:
parent
fb35d4fff9
commit
84f5bca0a9
@ -697,7 +697,7 @@ function chat_start_for_user(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal(
|
||||
'Visitor accepted invitation from operator {0}',
|
||||
array($operator_name),
|
||||
array(safe_htmlspecialchars($operator_name)),
|
||||
get_current_locale(),
|
||||
true
|
||||
)
|
||||
@ -706,7 +706,7 @@ function chat_start_for_user(
|
||||
if ($referrer) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('Visitor came from page {0}', array($referrer), get_current_locale(), true)
|
||||
getlocal('Visitor came from page {0}', array(safe_htmlspecialchars($referrer)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
if ($requested_operator && !$requested_operator_online) {
|
||||
@ -714,7 +714,7 @@ function chat_start_for_user(
|
||||
Thread::KIND_INFO,
|
||||
getlocal(
|
||||
'Thank you for contacting us. We are sorry, but requested operator <strong>{0}</strong> is offline. Another operator will be with you shortly.',
|
||||
array(get_operator_name($requested_operator)),
|
||||
array(safe_htmlspecialchars(get_operator_name($requested_operator))),
|
||||
get_current_locale(),
|
||||
true
|
||||
)
|
||||
@ -731,7 +731,7 @@ function chat_start_for_user(
|
||||
if ($info) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('Info: {0}', array($info), get_current_locale(), true)
|
||||
getlocal('Info: {0}', array(safe_htmlspecialchars($info)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@ -50,7 +50,7 @@ class ButtonController extends AbstractController
|
||||
if ($thread && $thread->state != Thread::STATE_CLOSED) {
|
||||
$msg = getlocal(
|
||||
"Visitor navigated to {0}",
|
||||
array($referer),
|
||||
array(safe_htmlspecialchars($referer)),
|
||||
$thread->locale,
|
||||
true
|
||||
);
|
||||
|
||||
@ -181,7 +181,7 @@ class RedirectController extends AbstractController
|
||||
Thread::KIND_EVENTS,
|
||||
getlocal(
|
||||
'Operator {0} redirected you to another operator. Please wait a while.',
|
||||
array(get_operator_name($this->getOperator())),
|
||||
array(safe_htmlspecialchars(get_operator_name($this->getOperator()))),
|
||||
$thread->locale,
|
||||
true
|
||||
)
|
||||
@ -235,7 +235,7 @@ class RedirectController extends AbstractController
|
||||
Thread::KIND_EVENTS,
|
||||
getlocal(
|
||||
'Operator {0} redirected you to another operator. Please wait a while.',
|
||||
array(get_operator_name($this->getOperator())),
|
||||
array(safe_htmlspecialchars(get_operator_name($this->getOperator()))),
|
||||
$thread->locale,
|
||||
true
|
||||
)
|
||||
|
||||
@ -671,7 +671,7 @@ class ThreadProcessor extends ClientSideProcessor implements
|
||||
if ($email) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('E-Mail: {0}', array($email), get_current_locale(), true)
|
||||
getlocal('E-Mail: {0}', array(safe_htmlspecialchars($email)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
|
||||
@ -790,19 +790,19 @@ class ThreadProcessor extends ClientSideProcessor implements
|
||||
if ($referrer) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('Visitor came from page {0}', array($referrer), get_current_locale(), true)
|
||||
getlocal('Visitor came from page {0}', array(safe_htmlspecialchars($referrer)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
if ($email) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('E-Mail: {0}', array($email), get_current_locale(), true)
|
||||
getlocal('E-Mail: {0}', array(safe_htmlspecialchars($email)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
if ($info) {
|
||||
$thread->postMessage(
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal('Info: {0}', array($info), get_current_locale(), true)
|
||||
getlocal('Info: {0}', array(safe_htmlspecialchars($info)), get_current_locale(), true)
|
||||
);
|
||||
}
|
||||
$thread->postMessage(Thread::KIND_USER, $message, array('name' => $name));
|
||||
|
||||
@ -758,14 +758,14 @@ class Thread
|
||||
if ($this->nextAgent == $operator['operatorid']) {
|
||||
$message_to_post = getlocal(
|
||||
"Operator <strong>{0}</strong> changed operator <strong>{1}</strong>",
|
||||
array($operator_name, $this->agentName),
|
||||
array(safe_htmlspecialchars($operator_name), safe_htmlspecialchars($this->agentName)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
} else {
|
||||
$message_to_post = getlocal(
|
||||
"Operator {0} is back",
|
||||
array($operator_name),
|
||||
array(safe_htmlspecialchars($operator_name)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
@ -926,7 +926,7 @@ class Thread
|
||||
self::KIND_EVENTS,
|
||||
getlocal(
|
||||
"Visitor {0} left the chat",
|
||||
array($this->userName),
|
||||
array(safe_htmlspecialchars($this->userName)),
|
||||
$this->locale,
|
||||
true
|
||||
)
|
||||
@ -947,7 +947,7 @@ class Thread
|
||||
self::KIND_EVENTS,
|
||||
getlocal(
|
||||
"Operator {0} left the chat",
|
||||
array($this->agentName),
|
||||
array(safe_htmlspecialchars($this->agentName)),
|
||||
$this->locale,
|
||||
true
|
||||
)
|
||||
@ -1025,21 +1025,21 @@ class Thread
|
||||
if ($is_operator_changed) {
|
||||
$message = getlocal(
|
||||
"Operator <strong>{0}</strong> changed operator <strong>{1}</strong>",
|
||||
array($operator_name, $this->agentName),
|
||||
array(safe_htmlspecialchars($operator_name), safe_htmlspecialchars($this->agentName)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
} elseif ($is_operator_joined) {
|
||||
$message = getlocal(
|
||||
"Operator {0} joined the chat",
|
||||
array($operator_name),
|
||||
array(safe_htmlspecialchars($operator_name)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
} elseif ($is_operator_back) {
|
||||
$message = getlocal(
|
||||
"Operator {0} is back",
|
||||
array($operator_name),
|
||||
array(safe_htmlspecialchars($operator_name)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
@ -1083,7 +1083,7 @@ class Thread
|
||||
// Send message about renaming
|
||||
$message = getlocal(
|
||||
"The visitor changed their name <strong>{0}</strong> to <strong>{1}</strong>",
|
||||
array($old_name, $new_name),
|
||||
array(safe_htmlspecialchars($old_name), safe_htmlspecialchars($new_name)),
|
||||
$this->locale,
|
||||
true
|
||||
);
|
||||
|
||||
@ -125,7 +125,7 @@ function invitation_invite($visitor_id, $operator)
|
||||
Thread::KIND_FOR_AGENT,
|
||||
getlocal(
|
||||
'Operator {0} invites visitor at {1} page',
|
||||
array($operator_name, $last_visited_page),
|
||||
array(safe_htmlspecialchars($operator_name), safe_htmlspecialchars($last_visited_page)),
|
||||
get_current_locale(),
|
||||
true
|
||||
)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user