Fix vulnerable.

2022-10-24 16:34:14 +08:00 · 2022-10-24 16:34:14 +08:00 · d86eb185dc
parent 10cb149fc7
commit d86eb185dc
9 changed files with 59 additions and 50 deletions
--- a/app/controllers/admin/application_forms_controller.rb
+++ b/app/controllers/admin/application_forms_controller.rb
@ -380,14 +380,15 @@ class Admin::ApplicationFormsController < OrbitAdminController
    @categories = @module_app.categories.enabled
    @filter_fields = filter_fields(@categories)
    @table_fields = [:category, 'application_form.title', 'application_form.event_during', 'application_form.signup_count', 'application_form.export']
-
+    params_sort = params[:sort].to_s
-    if !params[:sort].blank? 
+    if params_sort.present?
      params_order = params[:order].to_s
      if params[:sort] == 'event_during'
-        sort = {:application_form_start_date.to_sym=>params[:order]} 
+        sort = {:application_form_start_date=>params_order}
      elsif params[:sort] == 'signup_during'
-        sort = {:application_form_start_date.to_sym=>params[:order]} 
+        sort = {:application_form_start_date=>params_order}
      else
-        sort = {params[:sort].to_sym=>params[:order]} 
+        sort = {params_sort=>params_order}
      end
    else
      sort = {:application_form_start_date=>"desc",:created_at=>"desc"}
--- a/app/controllers/application_forms_controller.rb
+++ b/app/controllers/application_forms_controller.rb
@ -4,6 +4,7 @@ class ApplicationFormsController < ApplicationController
  include MemberHelper
  include ActionView::Context #vary important (only add this can access @@session from view)
  include Admin::ApplicationFormsHelper
  FrontendMethods = ["show_privacy", "show_data", "check_email", "check_availability", "signup_ok", "edit_file", "con_login", "con_upload", "con_logout"]
  # include SimpleCaptcha::ControllerHelpers
  def index
@ -72,13 +73,14 @@ class ApplicationFormsController < ApplicationController
  end
  # def custom_frontend_data
  #   params = OrbitHelper.params
-  #   application_form = ApplicationFormMain.find_by(:uid=>params[:uid])
+  #   uid = params[:uid].to_s
  #   application_form = ApplicationFormMain.find_by(:uid=>uid)
  #   @application_form = application_form
  #   @site_in_use_locales = Site.first.in_use_locales rescue I18n.available_locales
  #   application_form_template_setting = application_form.application_form_template_setting
  #   @application_form_template_setting = application_form_template_setting
  #   home_page = Page.where(:parent_page_id=>application_form.id).first
-  #   prefix_url = OrbitHelper.request.path.split("-").first + "-#{params[:uid]}"
+  #   prefix_url = OrbitHelper.request.path.split("-").first + "-#{uid}"
  #   @prefix_url = prefix_url
  #   header_data = "<a href=\"#{prefix_url}#{home_page.url}\">Home</a> | " + 
  #                 "<a href=\"/\">Main Site</a>"
@ -152,7 +154,7 @@ class ApplicationFormsController < ApplicationController
  #   if params[:method].present?
  #     main_content = render_other_method
  #   elsif params[:current_page_module] == "application_forms_home"
-  #     application_form = ApplicationFormMain.where(uid: params[:uid]).first
+  #     application_form = ApplicationFormMain.where(uid: uid).first
  #     time_now = Time.now
  #     data = {
  #       "application_form" => application_form,
@ -168,7 +170,7 @@ class ApplicationFormsController < ApplicationController
  #   elsif params[:current_page_module] == "application_forms_page"
  #     time_now = Time.now
  #     params = OrbitHelper.params
-  #     application_form = ApplicationFormMain.find_by(uid: params[:uid])
+  #     application_form = ApplicationFormMain.find_by(uid: uid)
  #     if application_form.application_form_start_date <= time_now && ( application_form.application_form_end_date.nil? ||  application_form.application_form_end_date+1 >= time_now )
  #       sign_up = ('<a href="'+ prefix_url + '" target="_blank">' + t('application_form.signup') + '</a>').html_safe
  #     elsif application_form.registration_status.blank?
@ -284,7 +286,7 @@ class ApplicationFormsController < ApplicationController
    params = OrbitHelper.params
-    application_form = ApplicationFormMain.where(uid: params[:uid]).first
+    application_form = ApplicationFormMain.where(uid: params[:uid].to_s).first
    application_form_agreement = ApplicationFormAgreement.first
@ -301,7 +303,7 @@ class ApplicationFormsController < ApplicationController
    params = OrbitHelper.params
-    application_form = ApplicationFormMain.find_by(uid: params[:uid])
+    application_form = ApplicationFormMain.find_by(uid: params[:uid].to_s)
    if application_form.application_form_start_date <= time_now && ( application_form.application_form_end_date.nil? ||  application_form.application_form_end_date+1 >= time_now )
      sign_up = ('<a href="'+ OrbitHelper.url_to_show(application_form.to_param) + '">' + t('application_form.signup') + '</a>').html_safe
@ -347,7 +349,7 @@ class ApplicationFormsController < ApplicationController
    categories = module_app.categories
-    application_form = ApplicationFormMain.where(uid: params[:uid]).first
+    application_form = ApplicationFormMain.where(uid: params[:uid].to_s).first
    application_form_signup = ApplicationFormSignup.new
@ -450,7 +452,7 @@ class ApplicationFormsController < ApplicationController
  def create
    form_params = params[:application_form_signup]
    form_params_email = form_params[:email]
-    form_params_main_id = form_params[:application_form_main_id]
+    form_params_main_id = form_params[:application_form_main_id].to_s
    @signup = nil #ApplicationFormSignup.where(email: form_params_email, application_form_main_id: form_params_main_id ).first
    @application_form = ApplicationFormMain.where(id: form_params_main_id).first
@ -741,7 +743,7 @@ class ApplicationFormsController < ApplicationController
    params = OrbitHelper.params
-    application_form = ApplicationFormMain.find_by(uid: params[:uid])
+    application_form = ApplicationFormMain.find_by(uid: params[:uid].to_s)
    {
      'application_form' => application_form,
@ -752,9 +754,10 @@ class ApplicationFormsController < ApplicationController
  def con_login_proc
-    application_form = ApplicationFormMain.find_by(id: params[:application_form_signup][:application_form_main_id])
+    application_form_main_id = params[:application_form_signup][:application_form_main_id].to_s
    application_form = ApplicationFormMain.find_by(id: application_form_main_id)
-    @application_form_signup = ApplicationFormSignup.where(:status=>'C', :email=> params[:user_name], :password => params[:password], :application_form_main_id => params[:application_form_signup][:application_form_main_id]).first
+    @application_form_signup = ApplicationFormSignup.where(:status=>'C', :email=> params[:user_name], :password => params[:password], :application_form_main_id => application_form_main_id).first
    if !@application_form_signup.blank?
--- a/app/helpers/admin/application_forms_field_helper.rb
+++ b/app/helpers/admin/application_forms_field_helper.rb
@ -445,10 +445,14 @@ protected
  def form_label
    if self.markup == "text_area"
-      plc = typeD["placeholder"][I18n.locale].to_s.blank? ? '' : "(#{typeD["placeholder"][I18n.locale]})"
+      plc = typeD["placeholder"][I18n.locale].to_s.blank? ? nil : "(#{typeD["placeholder"][I18n.locale]})"
-      "<span style='margin-right: 0.5em;'>"+
+      label_tag(key, '' , :class=>"col-sm-2 control-label muted") do
-      label_tag(key,(!@require.blank? ? '*'+title : title),:class=>"col-sm-2 control-label muted",:style =>'display: contents;')+
+        concat (!@require.blank? ? '*'+title : title)
-      tag(:br)+"#{plc}</span>"
+        if plc
          concat tag(:br)
          concat plc
        end
      end
    else
      label_tag(key,(!@require.blank? ? '*'+title : title),:class=>"col-sm-2 control-label muted")
    end
--- a/app/views/admin/application_form_review_results/edit.html.erb
+++ b/app/views/admin/application_form_review_results/edit.html.erb
@ -42,7 +42,7 @@
                  <% val = t("application_form.registration_status_#{application_form_signup.status}") if !application_form_signup.status.blank? %>
              <% end %>                    
          <% elsif names[0] == "application_form_signup_field_custom" || names[0] == "application_form_signup_fields" %>
-            <% val = application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
+            <% val = html_escape(application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "" %>
          <% elsif names[0] == "application_form_signup_contributes" %>
            <% if names[1] == "file" %>
              <% application_form_signup_contribute = @application_form_signup_contribute %>
@ -68,7 +68,7 @@
              <% else %>
                <% file_content = File.read(file_path) rescue "" %>
                <% if file_content.is_utf8? %>
-                  <% file_content = file_content.gsub(/(\r\n|\n)/,"<br>")%>
+                  <% file_content = html_escape(file_content).gsub(/(\r\n|\n)/,"<br>") %>
                  <% val = "<div class=\"text_wrap\"><a class=\"pull-right\" href=\"#{file_url}\" title=\"#{t(:download)}\">#{t(:download)}</a><div style=\"clear: both;\"></div><h4>#{file_title}</h4>#{file_content}</div>"%>
                <% else %>
                  <% val = link_to( file_title, file_url , {:target => '_blank', :title => Nokogiri::HTML(description.gsub("<br>"," , ")).text} ) if application_form_signup_contribute.file.file %>
@ -90,12 +90,13 @@
              <% end %>
            <% end %>
          <% elsif names[0] == "application_form_submission_fields" %>
            <% val = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
            <% application_form_submission_field = application_form_signup.application_form_main.application_form_submission_fields.where(:key=>names[1]).first %>
-            <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session"
+            <%  if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session"
-                application_form_submission_value = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first
+                  application_form_submission_value = @application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first
-                val = "<span data-id=\"#{application_form_submission_value.id rescue ''}\">#{(application_form_submission_value.get_value_by_locale(I18n.locale) rescue "")}</span>"
+                  val = "<span data-id=\"#{application_form_submission_value.id rescue ''}\">#{(html_escape(application_form_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}</span>"
-               end %>
+                else
                  val = html_escape(@application_form_signup_contribute.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale).gsub('<br>', "\n")).gsub("\n","<br>") rescue ""
                end %>
          <% elsif  names[0] == "application_form_signup" %>
            <% val = (application_form_signup.send("display_"+names[1]) rescue application_form_signup.send(names[1])) rescue nil %>
          <% elsif  names[0] == "application_form_review_result" %>
--- a/app/views/admin/application_form_signups/edit.html.erb
+++ b/app/views/admin/application_form_signups/edit.html.erb
@ -164,14 +164,6 @@
          </div>
        </div>
        <div class="control-group <%= @application_form.registration_status[0] == 'C' ? '' : 'hide' %>" id="registration_status">
          <label for="password" class="control-label muted">*<%= t('application_form_signup.password') %></label>
          <div class="controls">
            <%= f.text_field :password, :class=>"input-block-level", :placeholder=> t('application_form_signup.password') %>
            <%= t('application_form_signup.password_message') %>
          </div>
        </div>
      <% end %>
      <% @form_index = 0 %>
      <% @application_form.application_form_signup_fields.asc(:_id).each  do |rf| %>
--- a/app/views/admin/application_forms/_application_form_signup_render_table.html.erb
+++ b/app/views/admin/application_forms/_application_form_signup_render_table.html.erb
@ -81,7 +81,7 @@
                        <% val = t("application_form.registration_status_#{application_form_signup.status}") if !application_form_signup.status.blank? %>
                    <% end %>                    
                <% elsif names[0] == "application_form_signup_field_custom" || names[0] == "application_form_signup_fields" %>
-                  <% val = application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
+                  <% val = html_escape(application_form_signup.application_form_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "" %>
                <% elsif names[0] == "application_form_signup_contributes" %>
                  <% if names[1] == "file" %>
                    <% val = application_form_signup_contributes %>
@ -103,16 +103,17 @@
                    <% end %>
                  <% end %>
                <% elsif names[0] == "application_form_submission_fields" %>
                  <% val = application_form_signup_contributes.collect{|s| (s.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "")} %>
                  <% application_form_submission_field = application_form_signup.application_form_main.application_form_submission_fields.where(:key=>names[1]).first %>
-                  <% if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session"
+                  <%  if application_form_submission_field && application_form_submission_field.markup == "application_form_preferred_session"
-                      val = application_form_signup_contributes.collect{|s| 
+                        val = application_form_signup_contributes.collect{|s| 
-                        application_form_submission_value = s.application_form_submission_values.where(:key=>names[1]).first
+                          application_form_submission_value = s.application_form_submission_values.where(:key=>names[1]).first
-                        "<span data-id=\"#{application_form_submission_value.id rescue ''}\">#{(application_form_submission_value.get_value_by_locale(I18n.locale) rescue "")}</span>"}
+                          "<span data-id=\"#{application_form_submission_value.id rescue ''}\">#{(html_escape(application_form_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}</span>"}
-                      edit_urls[i] = []
+                        edit_urls[i] = []
-                      application_form_submission_values = application_form_signup_contributes.collect{|s| s.application_form_submission_values.where(:key=>names[1]).first }
+                        application_form_submission_values = application_form_signup_contributes.collect{|s| s.application_form_submission_values.where(:key=>names[1]).first }
-                      edit_urls[i] = application_form_submission_values.map{|application_form_submission_value| edit_admin_application_form_submission_value_path(application_form_submission_value.id) rescue "#"}
+                        edit_urls[i] = application_form_submission_values.map{|application_form_submission_value| edit_admin_application_form_submission_value_path(application_form_submission_value.id) rescue nil}
-                     end %>
+                      else
                        val = application_form_signup_contributes.collect{|s| (html_escape(s.application_form_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}
                      end %>
                <% elsif  names[0] == "application_form_signup" %>
                  <% val = (application_form_signup.send("display_"+names[1]) rescue application_form_signup.send(names[1])) rescue nil %>
                  <% val = val.strftime('%Y/%m/%d %H:%M') if names[1] == 'created_at' %>
--- a/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb
+++ b/app/views/admin/application_forms/_application_form_signup_session_dashboard.html.erb
@ -27,7 +27,7 @@
          content_tag :div, paginate(@application_form_signups), class: "pagination pagination-centered"
        end
      %>
-      <%= pagination_html.gsub(/page_no#{count}=\d*/,"").gsub('&&','&').gsub(/page=(\d*)/m){|ff| ff.gsub("page=#{$1}","page=#{params[:page]}&page_no#{count}=#{$1}")}.html_safe %>
+      <%= pagination_html.gsub(/page_no#{count}=\d*/,"").gsub('&&','&').gsub(/page=(\d*)/m){|ff| ff.gsub("page=#{$1}","page=#{(params[:page] ? params[:page].to_s.to_i : nil)}&page_no#{count}=#{$1}")}.html_safe %>
    </div>
  <% end %>
  <% if count != 2 && @application_form.summary_chioices.count >= 2 %>
--- a/app/views/admin/application_forms/_get_display_fields.html.erb
+++ b/app/views/admin/application_forms/_get_display_fields.html.erb
@ -69,9 +69,12 @@
    <% application_form_signup_field_sets = ApplicationFormSignupFieldSet.all.uniq{|s| s.field_name} %>
    <% if application_form_signup_field_sets.count != 0 %>
       <% application_form_signup_field_sets.each do |field_set| %>
-            <% next if ApplicationFormMain::ExceptFieldSetDisplays.include?(field_set) %>
+            <%
-            <% default_show << "application_form_signup_field_set.#{field_set.field_name}" if !(field_set.hidden) %>
+                field_name = field_set.field_name
-            <% @field_names << "application_form_signup_field_set.#{field_set.field_name}" %>
+                next if ApplicationFormMain::ExceptFieldSetDisplays.include?(field_name)
            %>
            <% default_show << "application_form_signup_field_set.#{field_name}" if !(field_set.hidden) %>
            <% @field_names << "application_form_signup_field_set.#{field_name}" %>
            <% @field_name_translations << field_set.name[I18n.locale] %>
       <% end %>
    <% else %>
--- a/app/views/application_forms/con_login.html.erb
+++ b/app/views/application_forms/con_login.html.erb
@ -4,7 +4,11 @@
  @application_form = data["application_form"]
 	@time_now = data["time_now"]
 %>
-
+<style type="text/css">
  .alert-error{
    color: red;
  }
 </style>
 <% if (@application_form.contribute_start_date <= @time_now && (@application_form.contribute_end_date.nil? or @application_form.contribute_end_date+1 >= @time_now ) rescue false) %>
 <section id="main-wrap">