Skip to content

Commit

Permalink
Escaped ajax values
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmcev106
mmcev106 committed Dec 28, 2022
1 parent 9b55375 commit 3019a23
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 3 deletions.
48 changes: 47 additions & 1 deletion CrossprojectpipingExternalModule.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -765,7 +765,13 @@ function runCrossProjectPiping() {
// $('[name="'+field+'"]').change();
}
} else {
$('[name="'+field+'"]').val(data);
const unescapedData = data
.replace(/&/g, "&")
.replace(/&lt;/g, "<")
.replace(/&gt;/g, ">")
.replace(/&quot;/g, "\"")
.replace(/&#039;/g, "'")
$('[name="'+field+'"]').val(unescapedData);
addBranchingField(field, $('[name="'+field+'"]'));
// $('[name="'+field+'"]').change();
}
Expand Down Expand Up @@ -1211,4 +1217,44 @@ function getProjectRecordIDs($project_id, $filter_logic = null) {
return $rightsByPid;
}*/

/**
* Copied from the EM framework. Can be removed once redcap-version-min can be set to a version that includes this method.
*/
function escape($value){
$type = gettype($value);

/**
* The unnecessary casting on these first few types exists solely to inform psalm and avoid warnings.
*/
if($type === 'boolean'){
return (bool) $value;
}
else if($type === 'integer'){
return (int) $value;
}
else if($type === 'double'){
return (float) $value;
}
else if($type === 'array'){
$newValue = [];
foreach($value as $key=>$subValue){
$key = $this->escape($key);
$subValue = $this->escape($subValue);
$newValue[$key] = $subValue;
}

return $newValue;
}
else if($type === 'NULL'){
return null;
}
else{
/**
* Handle strings, resources, and custom objects (via the __toString() method.
* Apart from escaping, this produces that same behavior as if the $value was echoed or appended via the "." operator.
*/
return htmlspecialchars(''.$value, ENT_QUOTES);
}
}
}
4 changes: 2 additions & 2 deletions getValue.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,12 +111,12 @@
} else {
$returnVal = $result;
}
echo $returnVal;
echo $module->escape($returnVal);
$found = true;
break;
} else if(!empty($recData[$Proj->firstEventId][substr($logicItem, 1, -1)]) && is_array($recData[$Proj->firstEventId][substr($logicItem, 1, -1)])) {
header('Content-Type: application/json');
echo json_encode($recData[$Proj->firstEventId][substr($logicItem, 1, -1)]);
echo json_encode($module->escape($recData[$Proj->firstEventId][substr($logicItem, 1, -1)]));
$found = true;
break;
}
Expand Down

0 comments on commit 3019a23

Please sign in to comment.