From d86eb185dc8adea7dce6da6858252ce6ae3d0c06 Mon Sep 17 00:00:00 2001 From: bohung Date: Mon, 24 Oct 2022 16:34:14 +0800 Subject: [PATCH] Fix vulnerable. --- .../admin/application_forms_controller.rb | 11 ++++---- .../application_forms_controller.rb | 25 +++++++++++-------- .../admin/application_forms_field_helper.rb | 12 ++++++--- .../edit.html.erb | 15 +++++------ .../application_form_signups/edit.html.erb | 8 ------ ...lication_form_signup_render_table.html.erb | 21 ++++++++-------- ...ion_form_signup_session_dashboard.html.erb | 2 +- .../_get_display_fields.html.erb | 9 ++++--- .../application_forms/con_login.html.erb | 6 ++++- 9 files changed, 59 insertions(+), 50 deletions(-) diff --git a/app/controllers/admin/application_forms_controller.rb b/app/controllers/admin/application_forms_controller.rb index 15e66dc..dd89207 100644 --- a/app/controllers/admin/application_forms_controller.rb +++ b/app/controllers/admin/application_forms_controller.rb @@ -380,14 +380,15 @@ class Admin::ApplicationFormsController < OrbitAdminController @categories = @module_app.categories.enabled @filter_fields = filter_fields(@categories) @table_fields = [:category, 'application_form.title', 'application_form.event_during', 'application_form.signup_count', 'application_form.export'] - - if !params[:sort].blank? + params_sort = params[:sort].to_s + if params_sort.present? + params_order = params[:order].to_s if params[:sort] == 'event_during' - sort = {:application_form_start_date.to_sym=>params[:order]} + sort = {:application_form_start_date=>params_order} elsif params[:sort] == 'signup_during' - sort = {:application_form_start_date.to_sym=>params[:order]} + sort = {:application_form_start_date=>params_order} else - sort = {params[:sort].to_sym=>params[:order]} + sort = {params_sort=>params_order} end else sort = {:application_form_start_date=>"desc",:created_at=>"desc"} diff --git a/app/controllers/application_forms_controller.rb b/app/controllers/application_forms_controller.rb index 8477575..f681cf8 100644 --- a/app/controllers/application_forms_controller.rb +++ b/app/controllers/application_forms_controller.rb @@ -4,6 +4,7 @@ class ApplicationFormsController < ApplicationController include MemberHelper include ActionView::Context #vary important (only add this can access @@session from view) include Admin::ApplicationFormsHelper + FrontendMethods = ["show_privacy", "show_data", "check_email", "check_availability", "signup_ok", "edit_file", "con_login", "con_upload", "con_logout"] # include SimpleCaptcha::ControllerHelpers def index @@ -72,13 +73,14 @@ class ApplicationFormsController < ApplicationController end # def custom_frontend_data # params = OrbitHelper.params - # application_form = ApplicationFormMain.find_by(:uid=>params[:uid]) + # uid = params[:uid].to_s + # application_form = ApplicationFormMain.find_by(:uid=>uid) # @application_form = application_form # @site_in_use_locales = Site.first.in_use_locales rescue I18n.available_locales # application_form_template_setting = application_form.application_form_template_setting # @application_form_template_setting = application_form_template_setting # home_page = Page.where(:parent_page_id=>application_form.id).first - # prefix_url = OrbitHelper.request.path.split("-").first + "-#{params[:uid]}" + # prefix_url = OrbitHelper.request.path.split("-").first + "-#{uid}" # @prefix_url = prefix_url # header_data = "Home | " + # "Main Site" @@ -152,7 +154,7 @@ class ApplicationFormsController < ApplicationController # if params[:method].present? # main_content = render_other_method # elsif params[:current_page_module] == "application_forms_home" - # application_form = ApplicationFormMain.where(uid: params[:uid]).first + # application_form = ApplicationFormMain.where(uid: uid).first # time_now = Time.now # data = { # "application_form" => application_form, @@ -168,7 +170,7 @@ class ApplicationFormsController < ApplicationController # elsif params[:current_page_module] == "application_forms_page" # time_now = Time.now # params = OrbitHelper.params - # application_form = ApplicationFormMain.find_by(uid: params[:uid]) + # application_form = ApplicationFormMain.find_by(uid: uid) # if application_form.application_form_start_date <= time_now && ( application_form.application_form_end_date.nil? || application_form.application_form_end_date+1 >= time_now ) # sign_up = ('' + t('application_form.signup') + '').html_safe # elsif application_form.registration_status.blank? @@ -284,7 +286,7 @@ class ApplicationFormsController < ApplicationController params = OrbitHelper.params - application_form = ApplicationFormMain.where(uid: params[:uid]).first + application_form = ApplicationFormMain.where(uid: params[:uid].to_s).first application_form_agreement = ApplicationFormAgreement.first @@ -301,7 +303,7 @@ class ApplicationFormsController < ApplicationController params = OrbitHelper.params - application_form = ApplicationFormMain.find_by(uid: params[:uid]) + application_form = ApplicationFormMain.find_by(uid: params[:uid].to_s) if application_form.application_form_start_date <= time_now && ( application_form.application_form_end_date.nil? || application_form.application_form_end_date+1 >= time_now ) sign_up = ('' + t('application_form.signup') + '').html_safe @@ -347,7 +349,7 @@ class ApplicationFormsController < ApplicationController categories = module_app.categories - application_form = ApplicationFormMain.where(uid: params[:uid]).first + application_form = ApplicationFormMain.where(uid: params[:uid].to_s).first application_form_signup = ApplicationFormSignup.new @@ -450,7 +452,7 @@ class ApplicationFormsController < ApplicationController def create form_params = params[:application_form_signup] form_params_email = form_params[:email] - form_params_main_id = form_params[:application_form_main_id] + form_params_main_id = form_params[:application_form_main_id].to_s @signup = nil #ApplicationFormSignup.where(email: form_params_email, application_form_main_id: form_params_main_id ).first @application_form = ApplicationFormMain.where(id: form_params_main_id).first @@ -741,7 +743,7 @@ class ApplicationFormsController < ApplicationController params = OrbitHelper.params - application_form = ApplicationFormMain.find_by(uid: params[:uid]) + application_form = ApplicationFormMain.find_by(uid: params[:uid].to_s) { 'application_form' => application_form, @@ -752,9 +754,10 @@ class ApplicationFormsController < ApplicationController def con_login_proc - application_form = ApplicationFormMain.find_by(id: params[:application_form_signup][:application_form_main_id]) + application_form_main_id = params[:application_form_signup][:application_form_main_id].to_s + application_form = ApplicationFormMain.find_by(id: application_form_main_id) - @application_form_signup = ApplicationFormSignup.where(:status=>'C', :email=> params[:user_name], :password => params[:password], :application_form_main_id => params[:application_form_signup][:application_form_main_id]).first + @application_form_signup = ApplicationFormSignup.where(:status=>'C', :email=> params[:user_name], :password => params[:password], :application_form_main_id => application_form_main_id).first if !@application_form_signup.blank? diff --git a/app/helpers/admin/application_forms_field_helper.rb b/app/helpers/admin/application_forms_field_helper.rb index 7bf74d0..e48ad0a 100644 --- a/app/helpers/admin/application_forms_field_helper.rb +++ b/app/helpers/admin/application_forms_field_helper.rb @@ -445,10 +445,14 @@ protected def form_label if self.markup == "text_area" - plc = typeD["placeholder"][I18n.locale].to_s.blank? ? '' : "(#{typeD["placeholder"][I18n.locale]})" - ""+ - label_tag(key,(!@require.blank? ? '*'+title : title),:class=>"col-sm-2 control-label muted",:style =>'display: contents;')+ - tag(:br)+"#{plc}" + plc = typeD["placeholder"][I18n.locale].to_s.blank? ? nil : "(#{typeD["placeholder"][I18n.locale]})" + label_tag(key, '' , :class=>"col-sm-2 control-label muted") do + concat (!@require.blank? ? '*'+title : title) + if plc + concat tag(:br) + concat plc + end + end else label_tag(key,(!@require.blank? ? '*'+title : title),:class=>"col-sm-2 control-label muted") end diff --git a/app/views/admin/application_form_review_results/edit.html.erb b/app/views/admin/application_form_review_results/edit.html.erb index 61aaa63..82bbc96 100644 --- a/app/views/admin/application_form_review_results/edit.html.erb +++ b/app/views/admin/application_form_review_results/edit.html.erb @@ -42,7 +42,7 @@ <% val = t("application_form.registration_status_#{application_form_signup.status}") if !application_form_signup.status.blank? %> <% end %> <% elsif names[0] == "application_form_signup_field_custom" || names[0] == "application_form_signup_fields" %> - <% val = application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> + <% val = html_escape(application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "" %> <% elsif names[0] == "application_form_signup_contributes" %> <% if names[1] == "file" %> <% application_form_signup_contribute = @application_form_signup_contribute %> @@ -68,7 +68,7 @@ <% else %> <% file_content = File.read(file_path) rescue "" %> <% if file_content.is_utf8? %> - <% file_content = file_content.gsub(/(\r\n|\n)/,"
")%> + <% file_content = html_escape(file_content).gsub(/(\r\n|\n)/,"
") %> <% val = "
#{t(:download)}

#{file_title}

#{file_content}
"%> <% else %> <% val = link_to( file_title, file_url , {:target => '_blank', :title => Nokogiri::HTML(description.gsub("
"," , ")).text} ) if application_form_signup_contribute.file.file %> @@ -90,12 +90,13 @@ <% end %> <% end %> <% elsif names[0] == "application_form_submission_fields" %> - <% val = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> <% application_form_submission_field = application_form_signup.application_form_main.application_form_submission_fields.where(:key=>names[1]).first %> - <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session" - application_form_submission_value = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first - val = "#{(application_form_submission_value.get_value_by_locale(I18n.locale) rescue "")}" - end %> + <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session" + application_form_submission_value = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first + val = "#{(html_escape(application_form_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")}" + else + val = html_escape(@application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale).gsub('
', "\n")).gsub("\n","
") rescue "" + end %> <% elsif names[0] == "application_form_signup" %> <% val = (application_form_signup.send("display_"+names[1]) rescue application_form_signup.send(names[1])) rescue nil %> <% elsif names[0] == "application_form_review_result" %> diff --git a/app/views/admin/application_form_signups/edit.html.erb b/app/views/admin/application_form_signups/edit.html.erb index 3a63e43..825e143 100644 --- a/app/views/admin/application_form_signups/edit.html.erb +++ b/app/views/admin/application_form_signups/edit.html.erb @@ -163,14 +163,6 @@ <%= f.email_field :email, :class=>"input-block-level", :placeholder=> t(:email), :required => true %> check mail - -
- -
- <%= f.text_field :password, :class=>"input-block-level", :placeholder=> t('application_form_signup.password') %> - <%= t('application_form_signup.password_message') %> -
-
<% end %> <% @form_index = 0 %> diff --git a/app/views/admin/application_forms/_application_form_signup_render_table.html.erb b/app/views/admin/application_forms/_application_form_signup_render_table.html.erb index 01bec58..83fc1fc 100644 --- a/app/views/admin/application_forms/_application_form_signup_render_table.html.erb +++ b/app/views/admin/application_forms/_application_form_signup_render_table.html.erb @@ -81,7 +81,7 @@ <% val = t("application_form.registration_status_#{application_form_signup.status}") if !application_form_signup.status.blank? %> <% end %> <% elsif names[0] == "application_form_signup_field_custom" || names[0] == "application_form_signup_fields" %> - <% val = application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> + <% val = html_escape(application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "" %> <% elsif names[0] == "application_form_signup_contributes" %> <% if names[1] == "file" %> <% val = application_form_signup_contributes %> @@ -103,16 +103,17 @@ <% end %> <% end %> <% elsif names[0] == "application_form_submission_fields" %> - <% val = application_form_signup_contributes.collect{|s| (s.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "")} %> <% application_form_submission_field = application_form_signup.application_form_main.application_form_submission_fields.where(:key=>names[1]).first %> - <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session" - val = application_form_signup_contributes.collect{|s| - application_form_submission_value = s.application_form_submission_values.where(:key=>names[1]).first - "#{(application_form_submission_value.get_value_by_locale(I18n.locale) rescue "")}"} - edit_urls[i] = [] - application_form_submission_values = application_form_signup_contributes.collect{|s| s.application_form_submission_values.where(:key=>names[1]).first } - edit_urls[i] = application_form_submission_values.map{|application_form_submission_value| edit_admin_application_form_submission_value_path(application_form_submission_value.id) rescue "#"} - end %> + <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session" + val = application_form_signup_contributes.collect{|s| + application_form_submission_value = s.application_form_submission_values.where(:key=>names[1]).first + "#{(html_escape(application_form_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")}"} + edit_urls[i] = [] + application_form_submission_values = application_form_signup_contributes.collect{|s| s.application_form_submission_values.where(:key=>names[1]).first } + edit_urls[i] = application_form_submission_values.map{|application_form_submission_value| edit_admin_application_form_submission_value_path(application_form_submission_value.id) rescue nil} + else + val = application_form_signup_contributes.collect{|s| (html_escape(s.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")} + end %> <% elsif names[0] == "application_form_signup" %> <% val = (application_form_signup.send("display_"+names[1]) rescue application_form_signup.send(names[1])) rescue nil %> <% val = val.strftime('%Y/%m/%d %H:%M') if names[1] == 'created_at' %> diff --git a/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb b/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb index 4bb9fc4..99419da 100644 --- a/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb +++ b/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb @@ -27,7 +27,7 @@ content_tag :div, paginate(@application_form_signups), class: "pagination pagination-centered" end %> - <%= pagination_html.gsub(/page_no#{count}=\d*/,"").gsub('&&','&').gsub(/page=(\d*)/m){|ff| ff.gsub("page=#{$1}","page=#{params[:page]}&page_no#{count}=#{$1}")}.html_safe %> + <%= pagination_html.gsub(/page_no#{count}=\d*/,"").gsub('&&','&').gsub(/page=(\d*)/m){|ff| ff.gsub("page=#{$1}","page=#{(params[:page] ? params[:page].to_s.to_i : nil)}&page_no#{count}=#{$1}")}.html_safe %> <% end %> <% if count != 2 && @application_form.summary_chioices.count >= 2 %> diff --git a/app/views/admin/application_forms/_get_display_fields.html.erb b/app/views/admin/application_forms/_get_display_fields.html.erb index 6ed46fe..6a3df57 100644 --- a/app/views/admin/application_forms/_get_display_fields.html.erb +++ b/app/views/admin/application_forms/_get_display_fields.html.erb @@ -69,9 +69,12 @@ <% application_form_signup_field_sets = ApplicationFormSignupFieldSet.all.uniq{|s| s.field_name} %> <% if application_form_signup_field_sets.count != 0 %> <% application_form_signup_field_sets.each do |field_set| %> - <% next if ApplicationFormMain::ExceptFieldSetDisplays.include?(field_set) %> - <% default_show << "application_form_signup_field_set.#{field_set.field_name}" if !(field_set.hidden) %> - <% @field_names << "application_form_signup_field_set.#{field_set.field_name}" %> + <% + field_name = field_set.field_name + next if ApplicationFormMain::ExceptFieldSetDisplays.include?(field_name) + %> + <% default_show << "application_form_signup_field_set.#{field_name}" if !(field_set.hidden) %> + <% @field_names << "application_form_signup_field_set.#{field_name}" %> <% @field_name_translations << field_set.name[I18n.locale] %> <% end %> <% else %> diff --git a/app/views/application_forms/con_login.html.erb b/app/views/application_forms/con_login.html.erb index afa929c..84750ab 100644 --- a/app/views/application_forms/con_login.html.erb +++ b/app/views/application_forms/con_login.html.erb @@ -4,7 +4,11 @@ @application_form = data["application_form"] @time_now = data["time_now"] %> - + <% if (@application_form.contribute_start_date <= @time_now && (@application_form.contribute_end_date.nil? or @application_form.contribute_end_date+1 >= @time_now ) rescue false) %>