#1972 Galaxia: bug on save activity template - BOGUS

BRANCH-1-9_(CVS)
closed-invalid
nobody
5
2015-02-02
2005-06-06
No

Whenever I try to save a template for an activity and
there is JavaScript code present, the <script
language="JavaScript"> tag is stripped off from after
the {literal} Smarty tag. The </script> tag is also
stripped from the code, right before the {/literal}
Smarty tag.
On a side note, why are there two buttons with the same
name in lines 33 and 39 of
templates/tiki-g-admin_shared_source.tpl? And why is
the condition evaluated in line 37 of
tiki-g-admin_shared_source.php never true?

The PHP code for my test activity goes below (it's
debug code):
<?php
if($debug == "DESLIGADO") {
$instance->complete();
}
?>

The Smarty code for the template of my activity goes below:
{*Smarty template*}

<h3>Numera&ccedil;&atilde;o da IMP</h3>
<form onSubmit="javascript:return validateForm(this);"
method="post">
<table class="normal" width="75%">
{literal}
<script language="JavaScript">
<!--
function isValidDate(f, field_prefix)
{
var selected_date = new Date();
selected_date.setMonth(getSelectedOption(f,
field_prefix + '[Month]')-1);
selected_date.setDate(getSelectedOption(f,
field_prefix + '[Day]'));
selected_date.setYear(getSelectedOption(f,
field_prefix + '[Year]'));

        if \(selected\_date.getDate\(\) \!= getSelectedOption\(f,

field_prefix + '[Day]')) {
return false;
} else {
return true;
}
}
function isWhitespace(s)
{
var whitespace = " \t\n\r";

        if \(s.length == 0\) \{
            // empty field\!
            return true;
        \} else \{
            // check for whitespace now\!
            for \(var z = 0; z &lt; s.length; z++\) \{
                // Check that current character isn't whitespace.
                var c = s.charAt\(z\);
                if \(whitespace.indexOf\(c\) == -1\) return false;
            \}
            return true;
        \}
    \}
    function selectField\(f, field\_name\)
    \{
        for \(var i = 0; i &lt; f.elements.length; i++\) \{
            if \(f.elements\[i\].name == field\_name\) \{
                if \(f.elements\[i\].type \!= 'hidden'\) \{
                    f.elements\[i\].focus\(\);
                \}
                errorDetails\(f, field\_name, true\);
                if \(isWhitespace\(f.name\)\) \{
                    return false;
                \}
                f.elements\[i\].onchange = new

Function('checkErrorCondition(\'' + f.name + '\', \'' +
field_name + '\');');
if (f.elements[i].select) {
f.elements[i].select();
}
}
}
}
function isNumberOnly(s)
{
var check = parseFloat(s).toString();
if ((s.length == check.length) && (check != "NaN")) {
return true;
} else {
return false;
}
}
function validateForm(f)
{
if (!isValidDate(f, 'dt_rec')) {
alert('Data de recebimento n&atilde;o &eacute;
v&aacute;lida.');
selectField(f, 'dt_rec[Day]');
return false;
}
if (isWhitespace(f.numero.value)) {
alert('Por favor digite o n&uacute;mero da IMP.');
selectField(f, 'numero');
return false;
}
if (!isNumberOnly(f.numero.value)) {
alert('O n&uacute;mero da IMP cont&eacute;m
caracteres que n&atilde;o s&atilde;o n&uacute;meros.');
selectField(f, 'numero');
return false;
}
var field = getFormElement(f, 'ano_imp');
if (field.selectedIndex == 0) {
alert('Por favor selecione o ano da IMP.');
selectField(f, 'ano_imp');
return false;
}
if (!isValidDate(f, 'dt_etg')) {
alert('Data de entrega n&atilde;o &eacute;
v&aacute;lida.');
selectField(f, 'dt_rec[Day]');
return false;
}
return true;
}
//-->
</script>
{/literal}
<tr>
<td class="heading" width="20%">Data de recebimento</td>
<td class="odd">
<select name="dt_rec[Day]">
<option label="" value=""></option>
<option label="01" value="1">01</option>
<option label="02" value="2">02</option>
<option label="03" value="3">03</option>
<option label="04" value="4">04</option>
<option label="05" value="5">05</option>
<option label="06" value="6">06</option>
<option label="07" value="7">07</option>
<option label="08" value="8">08</option>
<option label="09" value="9">09</option>
<option label="10" value="10">10</option>
<option label="11" value="11">11</option>
<option label="12" value="12">12</option>
<option label="13" value="13">13</option>
<option label="14" value="14">14</option>
<option label="15" value="15">15</option>
<option label="16" value="16">16</option>
<option label="17" value="17">17</option>
<option label="18" value="18">18</option>
<option label="19" value="19">19</option>
<option label="20" value="20">20</option>
<option label="21" value="21">21</option>
<option label="22" value="22">22</option>
<option label="23" value="23">23</option>
<option label="24" value="24">24</option>
<option label="25" value="25">25</option>
<option label="26" value="26">26</option>
<option label="27" value="27">27</option>
<option label="28" value="28">28</option>
<option label="29" value="29">29</option>
<option label="30" value="30">30</option>
<option label="31" value="31">31</option>
</select>

            &lt;select name="dt\_rec\[Month\]"&gt;
                &lt;option label="" value=""&gt;&lt;/option&gt;
                &lt;option label="Janeiro" value="01"&gt;Janeiro&lt;/option&gt;
                &lt;option label="Fevereiro"

value="02">Fevereiro</option>
<option label="Mar&ccedil;o"
value="03">Mar&ccedil;o</option>
<option label="Abril" value="04">Abril</option>
<option label="Maio" value="05">Maio</option>
<option label="Junho" value="06">Junho</option>
<option label="Julho" value="07">Julho</option>
<option label="Agosto" value="08">Agosto</option>
<option label="Setembro" value="09">Setembro</option>
<option label="Outubro" value="10">Outubro</option>
<option label="Novembro" value="11">Novembro</option>
<option label="Dezembro" value="12">Dezembro</option>
</select>

            &lt;select name="dt\_rec\[Year\]"&gt;
                &lt;option label="" value=""&gt;&lt;/option&gt;
                &lt;option label="2005" value="01"&gt;2005&lt;/option&gt;
                &lt;option label="2006" value="02"&gt;2006&lt;/option&gt;
                &lt;option label="2007" value="03"&gt;2007&lt;/option&gt;       
            &lt;/select&gt;
        &lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
        &lt;td class="heading"&gt;Numero&lt;/td&gt;
        &lt;td class="odd"&gt;              
            &lt;input type="text" name="numero" size="5" value="" /&gt;
            /
            &lt;select name="ano\_imp"&gt;
                &lt;option label="" value=""&gt;&lt;/option&gt;
                &lt;option label="2005" value="01"&gt;2005&lt;/option&gt;
                &lt;option label="2006" value="02"&gt;2006&lt;/option&gt;
                &lt;option label="2007" value="03"&gt;2007&lt;/option&gt;       
            &lt;/select&gt;
        &lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
        &lt;td class="heading"&gt;ATP&lt;/td&gt;
        &lt;td class="odd"&gt;      
            &lt;input type="text" name="atp" size="5" value="" /&gt;
            /
            &lt;input type="text" name="ano\_atp" size="5"

maxlength="4" value="" />
</td>
</tr>
<tr>
<td class="heading">RT</td>
<td class="odd">
<input type="text" name="rt" size="5" value="" />
/
<input type="text" name="ano_rt" size="5"
maxlength="4" value="" />
</td>
</tr><tr>
<td class="heading">RNC</td>
<td class="odd">
<input type="text" name="rnc" size="5" value="" />
/
<input type="text" name="ano_rnc" size="5"
maxlength="4" value="" />
</td>
</tr><tr>
<td class="heading">SAT</td>
<td class="odd">
<input type="text" name="sat" size="5" value="" />
/
<input type="text" name="ano_sat" size="5"
maxlength="4" value="" />
</td>
</tr>
<tr>
<td class="heading" width="30%">Data de entrega</td>
<td class="odd">
<select name="dt_etg[Day]">
<option label="" value=""></option>
<option label="01" value="1">01</option>
<option label="02" value="2">02</option>
<option label="03" value="3">03</option>
<option label="04" value="4">04</option>
<option label="05" value="5">05</option>
<option label="06" value="6">06</option>
<option label="07" value="7">07</option>
<option label="08" value="8">08</option>
<option label="09" value="9">09</option>
<option label="10" value="10">10</option>
<option label="11" value="11">11</option>
<option label="12" value="12">12</option>
<option label="13" value="13">13</option>
<option label="14" value="14">14</option>
<option label="15" value="15">15</option>
<option label="16" value="16">16</option>
<option label="17" value="17">17</option>
<option label="18" value="18">18</option>
<option label="19" value="19">19</option>
<option label="20" value="20">20</option>
<option label="21" value="21">21</option>
<option label="22" value="22">22</option>
<option label="23" value="23">23</option>
<option label="24" value="24">24</option>
<option label="25" value="25">25</option>
<option label="26" value="26">26</option>
<option label="27" value="27">27</option>
<option label="28" value="28">28</option>
<option label="29" value="29">29</option>
<option label="30" value="30">30</option>
<option label="31" value="31">31</option>
</select>

            &lt;select name="dt\_etg\[Month\]"&gt;
                &lt;option label="" value=""&gt;&lt;/option&gt;
                &lt;option label="Janeiro" value="01"&gt;Janeiro&lt;/option&gt;
                &lt;option label="Fevereiro"

value="02">Fevereiro</option>
<option label="Mar&ccedil;o"
value="03">Mar&ccedil;o</option>
<option label="Abril" value="04">Abril</option>
<option label="Maio" value="05">Maio</option>
<option label="Junho" value="06">Junho</option>
<option label="Julho" value="07">Julho</option>
<option label="Agosto" value="08">Agosto</option>
<option label="Setembro" value="09">Setembro</option>
<option label="Outubro" value="10">Outubro</option>
<option label="Novembro" value="11">Novembro</option>
<option label="Dezembro" value="12">Dezembro</option>
</select>

            &lt;select name="dt\_etg\[Year\]"&gt;
                &lt;option label="" value=""&gt;&lt;/option&gt;
                &lt;option label="2005" value="01"&gt;2005&lt;/option&gt;
                &lt;option label="2006" value="02"&gt;2006&lt;/option&gt;
                &lt;option label="2007" value="03"&gt;2007&lt;/option&gt;       
            &lt;/select&gt;
        &lt;/td&gt;
    &lt;/tr&gt;     
&lt;/table&gt;
&lt;br&gt;
&lt;input type="submit" name="request" value="Confirmar" /&gt;

</form>

Discussion

  • Georger Araujo

    Georger Araujo - 2005-06-15
    • status: open --> closed-invalid
     
  • Georger Araujo

    Georger Araujo - 2005-06-15

    Logged In: YES
    user_id=1087649

    This is by design. Smarty is stripping the potentially
    insecure Javascript in line 48 of
    templates/tiki-g-admin_shared_source.tpl.

     
  • Georger Araujo

    Georger Araujo - 2005-06-15
    • summary: Galaxia: bug on save activity template --> Galaxia: bug on save activity template - BOGUS
     

Log in to post a comment.