Moderate severityNVD Advisory· Published Sep 20, 2022· Updated May 27, 2025
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm
CVE-2022-3004
Description
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yetiforce/yetiforce-crmPackagist | <= 6.4.0 | — |
Affected products
1- Range: unspecified
Patches
1cd82ecce44d8Improved worflow panel
16 files changed · +129 −356
config/version.php+1 −1 modified@@ -1,7 +1,7 @@ <?php return [ - 'appVersion' => '6.4.13', + 'appVersion' => '6.4.14', 'patchVersion' => '2022.08.26', 'lib_roundcube' => '0.3.1', ];
layouts/basic/modules/Settings/Workflows/AdvanceFilterCondition.tpl+4 −4 modified@@ -6,7 +6,7 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. -* +* Contributor(s): YetiForce S.A. ********************************************************************************/ -->*} {strip} @@ -33,7 +33,7 @@ {else} {assign var=FIELD_VALUE value=""} {/if} - <option value="{$FIELD_MODEL->$columnNameApi()}" + <option value="{$FIELD_MODEL->$columnNameApi()|escape}" data-fieldtype="{$FIELD_MODEL->getFieldType()}" data-field-name="{$FIELD_NAME}" {if !empty($CONDITION_INFO['columnname']) && App\Purifier::decodeHtml($FIELD_MODEL->$columnNameApi()) eq $CONDITION_INFO['columnname']} {assign var=FIELD_TYPE value=$FIELD_MODEL->getFieldDataType()} @@ -73,15 +73,15 @@ </select> </div> <div class="col-md-4 fieldUiHolder"> - <input name="{if !empty($SELECTED_FIELD_MODEL)}{$SELECTED_FIELD_MODEL->get('name')}{/if}" data-value="value" + <input name="{if !empty($SELECTED_FIELD_MODEL)}{$SELECTED_FIELD_MODEL->get('name')|escape}{/if}" data-value="value" class="form-control" type="text" value="{if !empty($CONDITION_INFO['value'])}{$CONDITION_INFO['value']|escape}{/if}" /> </div> <span class="d-none"> {if empty($CONDITION)} {assign var=CONDITION value="and"} {/if} - <input type="hidden" name="column_condition" value="{$CONDITION}" /> + <input type="hidden" name="column_condition" value="{$CONDITION|escape}" /> </span> <span class="col-md-1"> <button class="btn btn-danger js-condition-delete" type="button" data-js="click">
layouts/basic/modules/Settings/Workflows/CreateEntity.tpl+25 −25 modified@@ -17,7 +17,7 @@ <input type="hidden" id="workflowModuleName" value="{$SOURCE_MODULE}"> <input type="hidden" id="fieldValueMapping" name="field_value_mapping" value="{if !empty($TASK_OBJECT->field_value_mapping)}{\App\Purifier::encodeHtml($TASK_OBJECT->field_value_mapping)}{/if}" /> -<input type="hidden" value="{$REFERENCE_FIELD_NAME}" name="reference_field" id="reference_field" /> +<input type="hidden" value="{$REFERENCE_FIELD_NAME|escape}" name="reference_field" id="reference_field" /> <div class="js-conditions-container" id="save_fieldvaluemapping" data-js="container"> {if $RELATED_MODULE_MODEL_NAME neq ''} <div> @@ -42,23 +42,23 @@ {assign var=FIELD_INFO value=$FIELD_MODEL->getFieldInfo()} {if $FIELD_MODEL->getFieldDataType() == 'owner'} {$SPECIAL_OPTION = [\App\Language::translate('LBL_SPECIAL_OPTIONS') => [ - 'assigned_user_id' => \App\Language::translate('LBL_PARENT_OWNER'), - 'triggerUser' => \App\Language::translate('LBL_TRIGGER_USER',$QUALIFIED_MODULE) - ] - ]} + 'assigned_user_id' => \App\Language::translate('LBL_PARENT_OWNER'), + 'triggerUser' => \App\Language::translate('LBL_TRIGGER_USER',$QUALIFIED_MODULE) + ] + ]} {$FIELD_INFO['picklistvalues'] = array_merge($FIELD_INFO['picklistvalues'], $SPECIAL_OPTION)} {/if} - <option value="{$FIELD_MODEL->getName()}" + <option value="{$FIELD_MODEL->getName()|escape}" {if $FIELD_MAP['fieldname'] eq $FIELD_MODEL->getName()} {assign var=MANDATORY_FIELD value=$FIELD_MODEL->isMandatory()} {assign var=FIELD_TYPE value=$FIELD_MODEL->getFieldDataType()} {assign var=IS_REFERENCE value=$FIELD_MODEL->isReferenceField()} selected="" {/if} - data-fieldtype="{$FIELD_MODEL->getFieldType()}" - data-field-name="{$FIELD_MODEL->getName()}" + data-fieldtype="{$FIELD_MODEL->getFieldType()|escape}" + data-field-name="{$FIELD_MODEL->getName()|escape}" data-fieldinfo="{\App\Purifier::encodeHtml(\App\Json::encode($FIELD_INFO))}" - data-reference="{$FIELD_MODEL->isReferenceField()}"> + data-reference="{$FIELD_MODEL->isReferenceField()|escape}"> {\App\Language::translate($FIELD_MODEL->getFieldLabel(), $RELATED_MODULE_MODEL_NAME)}{if $FIELD_MODEL->isMandatory()} <span class="redColor">*</span> {/if} @@ -70,15 +70,15 @@ <select name="modulename" class="select2 form-control" {if ($FIELD_TYPE eq 'picklist' || $FIELD_TYPE eq 'multipicklist' || $IS_REFERENCE)} disabled="" {/if}> <option {if $FIELD_MAP['modulename'] eq $SOURCE_MODULE} selected="" {/if} - value="{$SOURCE_MODULE}">{\App\Language::translate('LBL_SOURCE_MODULE', $QUALIFIED_MODULE)}: {\App\Language::translate($SOURCE_MODULE, $SOURCE_MODULE)}</option> + value="{$SOURCE_MODULE|escape}">{\App\Language::translate('LBL_SOURCE_MODULE', $QUALIFIED_MODULE)}: {\App\Language::translate($SOURCE_MODULE, $SOURCE_MODULE)}</option> <option {if $FIELD_MAP['modulename'] eq {'destinyModule::'|cat:$RELATED_MODULE_MODEL_NAME} || ($FIELD_MAP['modulename'] eq $RELATED_MODULE_MODEL_NAME && $SOURCE_MODULE neq $RELATED_MODULE_MODEL_NAME)} selected="" {/if} - value="destinyModule::{$RELATED_MODULE_MODEL_NAME}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL_NAME, $RELATED_MODULE_MODEL_NAME)}</option> + value="destinyModule::{$RELATED_MODULE_MODEL_NAME|escape}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL_NAME, $RELATED_MODULE_MODEL_NAME)}</option> </select> </div> <div class="fieldUiHolder col-md-4"> <input type="text" class="getPopupUi form-control" readonly="" name="fieldValue" - value="{$FIELD_MAP['value']}" /> - <input type="hidden" name="valuetype" value="{$FIELD_MAP['valuetype']}" /> + value="{$FIELD_MAP['value']|escape}" /> + <input type="hidden" name="valuetype" value="{$FIELD_MAP['valuetype']|escape}" /> </div> {if $MANDATORY_FIELD neq true || $MAPPING_PANEL} <button type="button" class="btn btn-danger js-condition-delete" data-js="click"> @@ -113,22 +113,22 @@ {assign var=FIELD_INFO value=$FIELD_MODEL->getFieldInfo()} {if $FIELD_MODEL->getFieldDataType() == 'owner'} {$SPECIAL_OPTION = [\App\Language::translate('LBL_SPECIAL_OPTIONS') => [ - 'assigned_user_id' => \App\Language::translate('LBL_PARENT_OWNER'), - 'triggerUser' => \App\Language::translate('LBL_TRIGGER_USER',$QUALIFIED_MODULE) - ] - ]} + 'assigned_user_id' => \App\Language::translate('LBL_PARENT_OWNER'), + 'triggerUser' => \App\Language::translate('LBL_TRIGGER_USER',$QUALIFIED_MODULE) + ] + ]} {$FIELD_INFO['picklistvalues'] = array_merge($FIELD_INFO['picklistvalues'], $SPECIAL_OPTION)} {/if} - <option value="{$FIELD_MODEL->getName()}" + <option value="{$FIELD_MODEL->getName()|escape}" data-fieldtype="{$FIELD_MODEL->getFieldType()}" {if $FIELD_MODEL->getName() eq $MANDATORY_FIELD_MODEL->getName()} {assign var=FIELD_TYPE value=$FIELD_MODEL->getFieldDataType()} {assign var=IS_REFERENCE value=$FIELD_MODEL->isReferenceField()} selected="" {/if} - data-field-name="{$FIELD_MODEL->getName()}" + data-field-name="{$FIELD_MODEL->getName()|escape}" data-fieldinfo="{\App\Purifier::encodeHtml(\App\Json::encode($FIELD_INFO))}" - data-reference="{$FIELD_MODEL->isReferenceField()}"> + data-reference="{$FIELD_MODEL->isReferenceField()|escape}"> {\App\Language::translate($FIELD_MODEL->getFieldLabel(), $RELATED_MODULE_MODEL->getName())} <span class="redColor">*</span> </option> @@ -140,7 +140,7 @@ class="select2 form-control" {if ($FIELD_TYPE eq 'picklist' || $FIELD_TYPE eq 'multipicklist' || $IS_REFERENCE)} disabled="" {/if}> <option value="{$SOURCE_MODULE}">{\App\Language::translate('LBL_SOURCE_MODULE', $QUALIFIED_MODULE)}: {\App\Language::translate($SOURCE_MODULE, $SOURCE_MODULE)}</option> <option {if ($FIELD_TYPE eq 'picklist' || $FIELD_TYPE eq 'multipicklist')} selected="" {/if} - value="destinyModule::{$RELATED_MODULE_MODEL->get('name')}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL->get('name'),$RELATED_MODULE_MODEL->get('name'))}</option> + value="destinyModule::{$RELATED_MODULE_MODEL->get('name')|escape}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL->get('name'),$RELATED_MODULE_MODEL->get('name'))}</option> </select> </span> <span class="fieldUiHolder col-md-4"> @@ -162,10 +162,10 @@ {if $REFERENCE_FIELD_NAME eq $FIELD_MODEL->getName()} {continue} {/if} {assign var=FIELD_INFO value=$FIELD_MODEL->getFieldInfo()} {if $FIELD_MODEL->isWritable() && ($MAPPING_PANEL || (!$FIELD_MODEL->isMandatory() && !$MAPPING_PANEL))} - <option value="{$FIELD_MODEL->getName()}" data-fieldtype="{$FIELD_MODEL->getFieldType()}" - data-field-name="{$FIELD_MODEL->getName()}" + <option value="{$FIELD_MODEL->getName()|escape}" data-fieldtype="{$FIELD_MODEL->getFieldType()|escape}" + data-field-name="{$FIELD_MODEL->getName()|escape}" data-fieldinfo="{\App\Purifier::encodeHtml(\App\Json::encode($FIELD_INFO))}" - data-reference="{$FIELD_MODEL->isReferenceField()}"> + data-reference="{$FIELD_MODEL->isReferenceField()|escape}"> {\App\Language::translate($FIELD_MODEL->getFieldLabel(), $RELATED_MODULE_MODEL_NAME)} </option> {/if} @@ -175,7 +175,7 @@ <div class="col-md-3"> <select name="modulename" class="form-control"> <option value="{$SOURCE_MODULE}">{\App\Language::translate('LBL_SOURCE_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($SOURCE_MODULE, $SOURCE_MODULE)}</option> - <option value="destinyModule::{$RELATED_MODULE_MODEL->get('name')}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL->get('name'), $RELATED_MODULE_MODEL->get('name'))}</option> + <option value="destinyModule::{$RELATED_MODULE_MODEL->get('name')|escape}">{\App\Language::translate('LBL_DESTINY_MODULE', $QUALIFIED_MODULE)} {\App\Language::translate($RELATED_MODULE_MODEL->get('name'), $RELATED_MODULE_MODEL->get('name'))}</option> </select> </div> <div class="fieldUiHolder col-md-4">
layouts/basic/modules/Settings/Workflows/EditTask.tpl+5 −5 modified@@ -21,13 +21,13 @@ </button> </div> <form class="form-horizontal" id="saveTask" method="post" action="index.php"> - <input type="hidden" name="module" value="{$MODULE}" /> + <input type="hidden" name="module" value="{$MODULE|escape}" /> <input type="hidden" name="parent" value="Settings" /> <input type="hidden" name="action" value="TaskAjax" /> <input type="hidden" name="mode" value="save" /> <input type="hidden" name="for_workflow" value="{$WORKFLOW_ID}" /> <input type="hidden" name="task_id" value="{$TASK_ID}" /> - <input type="hidden" name="taskType" id="taskType" value="{$TASK_TYPE_MODEL->get('tasktypename')}" /> + <input type="hidden" name="taskType" id="taskType" value="{\App\Purifier::encodeHtml($TASK_TYPE_MODEL->get('tasktypename'))}" /> <div class="modal-body tabbable"> <div class="form-row pb-3"> <div class="col-md-2"> @@ -38,7 +38,7 @@ </div> <div class="col-md-5"> <input name="summary" class="form-control" data-validation-engine='validate[required]' - type="text" value="{$TASK_MODEL->get('summary')}" /> + type="text" value="{\App\Purifier::encodeHtml($TASK_MODEL->get('summary'))}" /> </div> <div class="col-md-4 form-control-plaintext"> <div class="float-left">{\App\Language::translate('LBL_STATUS',$QUALIFIED_MODULE)}</div> @@ -77,7 +77,7 @@ id="checkSelectDateContainer"> <div class="col-md-2"> <input class="form-control" type="text" name="select_date_days" - value="{if !empty($DAYS)}{$DAYS}{/if}" + value="{if !empty($DAYS)}{$DAYS|escape}{/if}" data-validation-engine="validate[funcCall[Vtiger_WholeNumber_Validator_Js.invokeValidation]]"> </div> <div class="col-form-label float-left alignMiddle">{\App\Language::translate('LBL_DAYS',$QUALIFIED_MODULE)}</div> @@ -93,7 +93,7 @@ <select class="select2" name="select_date_field"> {foreach from=$DATETIME_FIELDS item=DATETIME_FIELD} <option {if !empty($TRIGGER['field']) && ($TRIGGER['field'] eq $DATETIME_FIELD->get('name'))} selected="" {/if} - value="{$DATETIME_FIELD->get('name')}">{\App\Language::translate($DATETIME_FIELD->get('label'), $DATETIME_FIELD->getModuleName())}</option> + value="{$DATETIME_FIELD->get('name')|escape}">{\App\Language::translate($DATETIME_FIELD->get('label'), $DATETIME_FIELD->getModuleName())}</option> {/foreach} </select> </div>
layouts/basic/modules/Settings/Workflows/FieldExpressions.tpl+20 −14 modified@@ -6,7 +6,7 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. -* +* Contributor(s): YetiForce S.A. ********************************************************************************/ -->*} {strip} @@ -37,27 +37,27 @@ </select> </span> <span class="col-md-4 d-none useFieldContainer"> - <span name="{$MODULE_MODEL->get('name')}" class="useFieldElement"> + <span name="{$MODULE_MODEL->get('name')|escape}" class="useFieldElement"> {assign var=MODULE_FIELDS value=$MODULE_MODEL->getFields()} <select class="useField form-control" - data-placeholder="{\App\Language::translate('LBL_USE_FIELD',$QUALIFIED_MODULE)}"> + data-placeholder="{\App\Language::translate('LBL_USE_FIELD',$QUALIFIED_MODULE)}"> <option></option> <optgroup> {foreach from=$MODULE_FIELDS item=MODULE_FIELD} - <option value="{$MODULE_FIELD->getName()}">{\App\Language::translate($MODULE_FIELD->get('label'),$MODULE_MODEL->getName())}</option> + <option value="{$MODULE_FIELD->getName()|escape}">{\App\Language::translate($MODULE_FIELD->get('label'),$MODULE_MODEL->getName())}</option> {/foreach} </optgroup> </select> </span> {if !empty($RELATED_MODULE_MODEL)} - <span name="{$RELATED_MODULE_MODEL->get('name')}" class="useFieldElement"> + <span name="{$RELATED_MODULE_MODEL->get('name')|escape}" class="useFieldElement"> {assign var=MODULE_FIELDS value=$RELATED_MODULE_MODEL->getFields()} <select class="useField form-control" - data-placeholder="{\App\Language::translate('LBL_USE_FIELD',$QUALIFIED_MODULE)}"> + data-placeholder="{\App\Language::translate('LBL_USE_FIELD',$QUALIFIED_MODULE)}"> <option></option> <optgroup> {foreach from=$MODULE_FIELDS item=MODULE_FIELD} - <option value="{$MODULE_FIELD->getName()}">{\App\Language::translate($MODULE_FIELD->get('label'), $MODULE_FIELD->getModuleName())}</option> + <option value="{$MODULE_FIELD->getName()|escape}">{\App\Language::translate($MODULE_FIELD->get('label'), $MODULE_FIELD->getModuleName())}</option> {/foreach} </optgroup> </select> @@ -66,33 +66,39 @@ </span> <span class="col-md-4 d-none useFunctionContainer"> <select class="useFunction form-control" - data-placeholder="{\App\Language::translate('LBL_USE_FUNCTION',$QUALIFIED_MODULE)}"> + data-placeholder="{\App\Language::translate('LBL_USE_FUNCTION',$QUALIFIED_MODULE)}"> <option></option> <optgroup> {foreach from=$FIELD_EXPRESSIONS key=FIELD_EXPRESSION_VALUE item=FIELD_EXPRESSIONS_KEY} - <option value="{$FIELD_EXPRESSIONS_KEY}">{\App\Language::translate($FIELD_EXPRESSION_VALUE,$QUALIFIED_MODULE)}</option> + <option value="{$FIELD_EXPRESSIONS_KEY|escape}">{\App\Language::translate($FIELD_EXPRESSION_VALUE,$QUALIFIED_MODULE)}</option> {/foreach} </optgroup> </select> </span> </div> - <br/> + <br /> <div class="fieldValueContainer"> <textarea data-textarea="true" class="fieldValue form-control"></textarea> </div> - <br/> + <br /> <div id="rawtext_help" class="alert alert-info helpmessagebox d-none"> - <p><h5>{\App\Language::translate('LBL_RAW_TEXT',$QUALIFIED_MODULE)}</h5></p> + <p> + <h5>{\App\Language::translate('LBL_RAW_TEXT',$QUALIFIED_MODULE)}</h5> + </p> <p>2000</p> <p>{\App\Language::translate('LBL_VTIGER',$QUALIFIED_MODULE)}</p> </div> <div id="fieldname_help" class="helpmessagebox alert alert-info d-none"> - <p><h5>{\App\Language::translate('LBL_EXAMPLE_FIELD_NAME',$QUALIFIED_MODULE)}</h5></p> + <p> + <h5>{\App\Language::translate('LBL_EXAMPLE_FIELD_NAME',$QUALIFIED_MODULE)}</h5> + </p> <p>{\App\Language::translate('LBL_ANNUAL_REVENUE',$QUALIFIED_MODULE)}</p> <p>{\App\Language::translate('LBL_NOTIFY_OWNER',$QUALIFIED_MODULE)}</p> </div> <div id="expression_help" class="alert alert-info helpmessagebox d-none"> - <p><h5>{\App\Language::translate('LBL_EXAMPLE_EXPRESSION',$QUALIFIED_MODULE)}</h5></p> + <p> + <h5>{\App\Language::translate('LBL_EXAMPLE_EXPRESSION',$QUALIFIED_MODULE)}</h5> + </p> <p>{\App\Language::translate('LBL_ANNUAL_REVENUE',$QUALIFIED_MODULE)}/12</p> <p>{\App\Language::translate('LBL_EXPRESSION_EXAMPLE2',$QUALIFIED_MODULE)}</p> </div>
layouts/basic/modules/Settings/Workflows/LineItemsGroupTemplate.tpl+0 −112 removed@@ -1,112 +0,0 @@ -{*<!-- -/********************************************************************************* -** The contents of this file are subject to the vtiger CRM Public License Version 1.0 -* ("License"); You may not use this file except in compliance with the License -* The Original Code is: vtiger CRM Open Source -* The Initial Developer of the Original Code is vtiger. -* Portions created by vtiger are Copyright (C) vtiger. -* All Rights Reserved. -* -********************************************************************************/ --->*} - -{strip} - <div class="template-contents"> - <table border=1 style="font-size:11px; width:100%; table-layout: fixed; border-collapse: collapse;"> - <thead> - <tr bgcolor=#c0c0c0> - <td style="text-align: center"> - <strong>Item Code</strong> - </td> - <td style="text-align: center"> - <strong>Item Name</strong> - </td> - <td style="text-align: center"> - <strong>Quantity</strong> - </td> - <td style="text-align: center"> - <strong>List Price</strong> - </td> - <td style="text-align: center"> - <strong>Item Total</strong> - </td> - <td style="text-align: center"> - <strong>Discount</strong> - </td> - <td style="text-align: center"> - <strong>Total After Discount</strong> - </td> - <td style="text-align: center"> - <strong>Total</strong> - </td> - </tr> - </thead> - <tbody> - <!-- foreach item=LINEITEM from=$RECORD.LINEITEMS --> - <tr> - <td align=right style="text-align: center; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.hdnProductcode} {/literal} - </td> - <td align=right style="text-align: center; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.productName} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.quantity} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.listprice} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.productTotal} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal}{$LINEITEM.discount_amount}{/literal} - ({literal}{$LINEITEM.discount_percent}{/literal} %) - </td> - <td align=left style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.totalAfterDiscount} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.netPrice} {/literal} - </td> - </tr> - <!-- /foreach --> - <tr> - <td colspan=7 style="word-wrap: break-word; text-align: right;">Items Total</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal} {$RECORD.hdnSubTotal} {/literal} - </td> - </tr> - <tr> - <td colspan=7 style="word-wrap: break-word; text-align: right;">Discount({literal}{$RECORD.discount_percentage_final}{/literal}%)</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal}{$RECORD.discountTotal_final}{/literal} - </td> - </tr> - <tr> - <td colspan=7 style="word-wrap: break-word; text-align: right;">Pre Tax Total</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal}{$RECORD.pre_tax_total}{/literal} - </td> - </tr> - <tr> - <td colspan=7 style="word-wrap: break-word; text-align: right;">Tax({literal}{$RECORD.tax_totalpercent}{/literal})%</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal}{$RECORD.tax_totalamount}{/literal} - </td> - </tr> - <tr> - <td colspan=7 style="word-wrap: break-word; text-align: right;"> - <span style="font-weight: bold">GRAND TOTAL</span> - <strong style=" word-wrap: break-word;"> - ({literal}{$RECORD.currency_symbol}{/literal}) - </strong> - </td> - <td style="text-align: right; word-wrap: break-word;"> - <strong style=" word-wrap: break-word;">{literal}{$RECORD.hdnGrandTotal}{/literal}</strong> - </td> - </tr> - </tbody> - </table> - </div> -{/strip}
layouts/basic/modules/Settings/Workflows/LineItemsIndividualTemplate.tpl+0 −113 removed@@ -1,113 +0,0 @@ -{*<!-- -/********************************************************************************* -** The contents of this file are subject to the vtiger CRM Public License Version 1.0 -* ("License"); You may not use this file except in compliance with the License -* The Original Code is: vtiger CRM Open Source -* The Initial Developer of the Original Code is vtiger. -* Portions created by vtiger are Copyright (C) vtiger. -* All Rights Reserved. -* -********************************************************************************/ --->*} - -{strip} - <div class="template-contents"> - <table border=1 style="font-size:11px; width:100%; table-layout: fixed; border-collapse: collapse;"> - <thead> - <tr bgcolor=#c0c0c0> - <td style="text-align: center"> - <strong>Item Code</strong> - </td> - <td style="text-align: center"> - <strong>Item Name</strong> - </td> - <td style="text-align: center"> - <strong>Quantity</strong> - </td> - <td style="text-align: center"> - <strong>List Price</strong> - </td> - <td style="text-align: center"> - <strong>Item Total</strong> - </td> - <td style="text-align: center"> - <strong>Discount</strong> - </td> - <td style="text-align: center"> - <strong>Total After Discount</strong> - </td> - <td style="text-align: center"> - <strong>Tax</strong> - </td> - <td style="text-align: center"> - <strong>Total</strong> - </td> - </tr> - </thead> - <tbody> - <!-- foreach item=LINEITEM from=$RECORD.LINEITEMS --> - <tr> - <td align=right style="text-align: center; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.hdnProductcode} {/literal} - </td> - <td align=right style="text-align: center; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.productName} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.quantity} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.listprice} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.productTotal} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal}{$LINEITEM.discount_amount}{/literal} - ({literal}{$LINEITEM.discount_percent}{/literal} %) - </td> - <td align=left style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.totalAfterDiscount} {/literal} - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.taxTotal} {/literal} - ({literal}{$LINEITEM.item_tax_totalpercent}{/literal} %) - </td> - <td align=right style="text-align: right; vertical-align : top; word-wrap: break-word;"> - {literal} {$LINEITEM.netPrice} {/literal} - </td> - </tr> - <!-- /foreach --> - <tr> - <td colspan=8 style="word-wrap: break-word; text-align: right;">Items Total</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal} {$RECORD.hdnSubTotal} {/literal} - </td> - </tr> - <tr> - <td colspan=8 style="word-wrap: break-word; text-align: right;">Discount({literal}{$RECORD.discount_percentage_final}{/literal}%)</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal}{$RECORD.discountTotal_final}{/literal} - </td> - </tr> - <tr> - <td colspan=8 style="word-wrap: break-word; text-align: right;">Pre Tax Total</td> - <td style="text-align: right; word-wrap: break-word;"> - {literal}{$RECORD.pre_tax_total}{/literal} - </td> - </tr> - <tr> - <td colspan=8 style="word-wrap: break-word; text-align: right;"> - <span style="font-weight: bold">GRAND TOTAL</span> - <strong style=" word-wrap: break-word;"> - ({literal}{$RECORD.currency_symbol}{/literal}) - </strong> - </td> - <td style="text-align: right; word-wrap: break-word;"> - <strong style=" word-wrap: break-word;">{literal}{$RECORD.hdnGrandTotal}{/literal}</strong> - </td> - </tr> - </tbody> - </table> - </div> -{/strip}
layouts/basic/modules/Settings/Workflows/ListViewContents.tpl+9 −9 modified@@ -15,8 +15,8 @@ <input type="hidden" id="previousPageExist" value="{$PAGING_MODEL->isPrevPageExists()}" /> <input type="hidden" id="nextPageExist" value="{$PAGING_MODEL->isNextPageExists()}" /> <input type="hidden" id="totalCount" value="{$LISTVIEW_COUNT}" /> - <input type="hidden" value="{$ORDER_BY}" id="orderBy" /> - <input type="hidden" value="{$SORT_ORDER}" id="sortOrder" /> + <input type="hidden" value="{$ORDER_BY|escape}" id="orderBy" /> + <input type="hidden" value="{$SORT_ORDER|escape}" id="sortOrder" /> <input type="hidden" id="totalCount" value="{$LISTVIEW_COUNT}" /> <input type='hidden' value="{$PAGE_NUMBER}" id='pageNumber'> <input type='hidden' value="{$PAGING_MODEL->getPageLimit()}" id='pageLimit'> @@ -34,8 +34,8 @@ {assign var=WIDTH value={99/(count($LISTVIEW_HEADERS))}} {foreach item=LISTVIEW_HEADER from=$LISTVIEW_HEADERS} <th nowrap class="{$WIDTHTYPE}"> - <a {if !($LISTVIEW_HEADER->has('sort'))} class="listViewHeaderValues u-cursor-pointer js-listview_header" data-js="click" data-nextsortorderval="{if $COLUMN_NAME eq $LISTVIEW_HEADER->get('name')}{$NEXT_SORT_ORDER}{else}ASC{/if}" data-columnname="{$LISTVIEW_HEADER->get('name')}" {/if}>{\App\Language::translate($LISTVIEW_HEADER->get('label'), $QUALIFIED_MODULE)} - {if $COLUMN_NAME eq $LISTVIEW_HEADER->get('name')} <span class="{$SORT_IMAGE}"></span>{/if}</a> + <a {if !($LISTVIEW_HEADER->has('sort'))} class="listViewHeaderValues u-cursor-pointer js-listview_header" data-js="click" data-nextsortorderval="{if $COLUMN_NAME eq $LISTVIEW_HEADER->get('name')}{$NEXT_SORT_ORDER}{else}ASC{/if}" data-columnname="{$LISTVIEW_HEADER->get('name')|escape}" {/if}>{\App\Language::translate($LISTVIEW_HEADER->get('label'), $QUALIFIED_MODULE)} + {if $COLUMN_NAME eq $LISTVIEW_HEADER->get('name')} <span class="{$SORT_IMAGE|escape}"></span>{/if}</a> </th> {/foreach} <th width='15%'></th> @@ -44,7 +44,7 @@ <tbody> {foreach item=LISTVIEW_ENTRY from=$LISTVIEW_ENTRIES} <tr class="listViewEntries" data-id="{$LISTVIEW_ENTRY->getId()}" - {if method_exists($LISTVIEW_ENTRY,'getDetailViewUrl')}data-recordurl="{$LISTVIEW_ENTRY->getDetailViewUrl()}" {/if}> + {if method_exists($LISTVIEW_ENTRY,'getDetailViewUrl')}data-recordurl="{$LISTVIEW_ENTRY->getDetailViewUrl()|escape}" {/if}> {foreach item=LISTVIEW_HEADER from=$LISTVIEW_HEADERS} {assign var=LISTVIEW_HEADERNAME value=$LISTVIEW_HEADER->get('name')} {if $LISTVIEW_HEADERNAME eq 'all_tasks'} @@ -53,7 +53,7 @@ {assign var=ACTIVE_TASKS value=$LISTVIEW_ENTRY->getDisplayValue($LISTVIEW_HEADERNAME)} {/if} {assign var=LAST_COLUMN value=$LISTVIEW_HEADER@last} - <td class="listViewEntryValue {$WIDTHTYPE}" data-name="{$LISTVIEW_HEADERNAME}"> + <td class="listViewEntryValue {$WIDTHTYPE}" data-name="{$LISTVIEW_HEADERNAME|escape}"> {$LISTVIEW_ENTRY->getDisplayValue($LISTVIEW_HEADERNAME)} {if $LAST_COLUMN && $LISTVIEW_ENTRY->getRecordLinks()} </td> @@ -66,14 +66,14 @@ onclick="{$RECORD_LINK_URL|substr:strlen("javascript:")};if (event.stopPropagation){ldelim} event.stopPropagation();{rdelim} else{ldelim} event.cancelBubble = true;{rdelim}" {else} - href='{$RECORD_LINK_URL}' + href='{$RECORD_LINK_URL|escape}' {/if} - class="{$RECORD_LINK->get('class')} + class="{$RECORD_LINK->get('class')|escape} {if ($RECORD_LINK->getLabel() eq 'LBL_ACTIVATION_TASKS' && $ACTIVE_TASKS eq $ALL_TASKS) || ($RECORD_LINK->getLabel() eq 'LBL_DEACTIVATION_TASKS' && $ACTIVE_TASKS eq 0)} {' '}d-none {/if}"> - <span class="{$RECORD_LINK->getIcon()}" title="{\App\Language::translate($RECORD_LINK->getLabel(), $QUALIFIED_MODULE)}"></span> + <span class="{$RECORD_LINK->getIcon()|escape}" title="{\App\Language::translate($RECORD_LINK->getLabel(), $QUALIFIED_MODULE)}"></span> </a> {if !$RECORD_LINK@last}
layouts/basic/modules/Settings/Workflows/ListViewHeader.tpl+3 −3 modified@@ -41,13 +41,13 @@ <div class="listViewActionsDi row my-2"> <div class="col-lg-4 btn-toolbar d-flex justify-content-between justify-content-lg-start"> <button class="btn btn-success addButton" {if stripos($MODULE_MODEL->getCreateViewUrl(), 'javascript:')===0} onclick="{$MODULE_MODEL->getCreateViewUrl()|substr:strlen('javascript:')};" - {else} onclick='window.location.href = "{$MODULE_MODEL->getCreateViewUrl()}"' + {else} onclick='window.location.href = "{$MODULE_MODEL->getCreateViewUrl()|escape}"' {/if}> <i class="fas fa-plus"></i> <strong>{\App\Language::translate('LBL_NEW', $QUALIFIED_MODULE)} {\App\Language::translate('LBL_WORKFLOW',$QUALIFIED_MODULE)}</strong> </button> <button class="btn btn-outline-secondary ml-1 importButton" id="importButton" - data-url="{Settings_Workflows_Module_Model::getImportViewUrl()}" + data-url="{Settings_Workflows_Module_Model::getImportViewUrl()|escape}" title="{\App\Language::translate('LBL_IMPORT_TEMPLATE', $QUALIFIED_MODULE)}"> <i class="fas fa-download"></i> </button> @@ -61,7 +61,7 @@ <option value="">{\App\Language::translate('LBL_ALL', $QUALIFIED_MODULE)}</option> {foreach item=MODULE_MODEL key=TAB_ID from=$SUPPORTED_MODULE_MODELS} <option {if !empty($SOURCE_MODULE) && $SOURCE_MODULE eq $MODULE_MODEL->getName()} selected="" {/if} - value="{$MODULE_MODEL->getName()}"> + value="{$MODULE_MODEL->getName()|escape}"> {\App\Language::translate($MODULE_MODEL->getName(),$MODULE_MODEL->getName())} </option> {/foreach}
layouts/basic/modules/Settings/Workflows/SortActionsModal.tpl+2 −2 modified@@ -7,15 +7,15 @@ {App\Language::translate('LBL_SELECT_WORKFLOW', $QUALIFIED_MODULE)}<br /> <select class="select2 form-control js-workflow-for-sort" data-js="value"> {foreach key=WORKFLOW_ID item=ACTION from=$WORKFLOW_ACTIONS} - <option value="{$WORKFLOW_ID}">{$ACTION['summary']}</option> + <option value="{$WORKFLOW_ID}">{\App\Purifier::encodeHtml($ACTION['summary'])}</option> {/foreach} </select> </div> <div class="form-group"> {App\Language::translate('LBL_SET_WORKFLOW_BEFORE', $QUALIFIED_MODULE)}<br /> <select class="select2 form-control js-workflow-before" data-js="value"> {foreach key=WORKFLOW_ID item=ACTION from=$WORKFLOW_ACTIONS} - <option value="{$WORKFLOW_ID}">{$ACTION['summary']}</option> + <option value="{$WORKFLOW_ID}">{\App\Purifier::encodeHtml($ACTION['summary'])}</option> {/foreach} </select> </div>
layouts/basic/modules/Settings/Workflows/Step1.tpl+16 −15 modified@@ -5,38 +5,39 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. +* Contributor(s): YetiForce S.A. *************************************************************************************} {strip} <div class="tpl-Settings-Workflows-Step1 workFlowContents"> <form name="EditWorkflow" action="index.php" method="post" id="workflow_step1" class="form-horizontal"> <input type="hidden" name="module" value="Workflows"> <input type="hidden" name="view" value="Edit"> - <input type="hidden" name="mode" value="Step2"/> - <input type="hidden" name="parent" value="Settings"/> - <input type="hidden" class="step" value="1"/> - <input type="hidden" name="record" value="{$RECORDID}"/> - <input type="hidden" id="weekStartDay" data-value='{$WEEK_START_ID}'/> + <input type="hidden" name="mode" value="Step2" /> + <input type="hidden" name="parent" value="Settings" /> + <input type="hidden" class="step" value="1" /> + <input type="hidden" name="record" value="{$RECORDID}" /> + <input type="hidden" id="weekStartDay" data-value='{$WEEK_START_ID|escape}' /> <div class="u-p-1per border"> <label> <strong>{\App\Language::translate('LBL_STEP_1',$QUALIFIED_MODULE)} : {\App\Language::translate('LBL_ENTER_BASIC_DETAILS_OF_THE_WORKFLOW',$QUALIFIED_MODULE)}</strong> </label> - <br/> + <br /> <div class="form-group form-row"> <label class="col-sm-3 col-form-label u-text-small-bold text-right"> {\App\Language::translate('LBL_SELECT_MODULE', $QUALIFIED_MODULE)} </label> <div class="col-sm-6 controls"> {if isset($MODE) && $MODE eq 'edit'} <input type='text' disabled='disabled' class="form-control" - value="{\App\Language::translate($MODULE_MODEL->getName(), $MODULE_MODEL->getName())}"> - <input type='hidden' name='module_name' value="{$MODULE_MODEL->get('name')}"> + value="{\App\Language::translate($MODULE_MODEL->getName(), $MODULE_MODEL->getName())}"> + <input type='hidden' name='module_name' value="{$MODULE_MODEL->get('name')|escape}"> {else} <select class="select2 form-control" id="moduleName" name="module_name" required="true" - data-placeholder="Select Module..."> + data-placeholder="Select Module..."> {foreach from=$ALL_MODULES key=TABID item=MODULE_MODEL} - <option value="{$MODULE_MODEL->getName()}" {if isset($SELECTED_MODULE) && $SELECTED_MODULE == $MODULE_MODEL->getName()} selected {/if}> + <option value="{$MODULE_MODEL->getName()|escape}" {if isset($SELECTED_MODULE) && $SELECTED_MODULE == $MODULE_MODEL->getName()} selected {/if}> {\App\Language::translate($MODULE_MODEL->getName(), $MODULE_MODEL->getName())} </option> {/foreach} @@ -50,8 +51,8 @@ </label> <div class="col-sm-6 controls"> <input type="text" name="summary" class="form-control" - data-validation-engine='validate[required]' value="{$WORKFLOW_MODEL->get('summary')}" - id="summary"/> + data-validation-engine='validate[required]' value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('summary'))}" + id="summary" /> </div> </div> <div class="form-group form-row"> @@ -65,9 +66,9 @@ <div class="js-wf-execution-container" data-js="container"> <label> <input type="radio" class="alignTop" - name="execution_condition" {if $EXECUTION_CONDITION eq $LABEL_ID} checked="checked" {/if} value="{$LABEL_ID}"/> + name="execution_condition" {if $EXECUTION_CONDITION eq $LABEL_ID} checked="checked" {/if} value="{$LABEL_ID|escape}" /> {\App\Language::translate($LABEL,$QUALIFIED_MODULE)} - </label><br/> + </label><br /> {assign var=PARAMS value=[]} {if !empty($WORKFLOW_MODEL_OBJ->params)} {assign var=PARAMS value=\App\Json::decode($WORKFLOW_MODEL_OBJ->params)} @@ -98,7 +99,7 @@ </div> </div> </div> - <br/> + <br /> <div class="float-right mb-4"> <button class="btn btn-success mr-1" type="submit" disabled="disabled"> <strong>
layouts/basic/modules/Settings/Workflows/Step2.tpl+29 −27 modified@@ -5,32 +5,33 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. +* Contributor(s): YetiForce S.A. *************************************************************************************} {strip} <form name="EditWorkflow" action="index.php" method="post" id="workflow_step2" - class="tpl-Settings-Workflows-Step2 form-horizontal"> - <input type="hidden" name="module" value="Workflows"/> - <input type="hidden" name="action" value="Save"/> - <input type="hidden" name="parent" value="Settings"/> - <input type="hidden" class="step" value="2"/> - <input type="hidden" name="summary" value="{$WORKFLOW_MODEL->get('summary')}"/> - <input type="hidden" name="record" value="{$WORKFLOW_MODEL->get('record')}"/> - <input type="hidden" name="module_name" value="{$WORKFLOW_MODEL->get('module_name')}"/> - <input type="hidden" name="execution_condition" value="{$WORKFLOW_MODEL->get('execution_condition')}"/> - <input type="hidden" name="conditions" id="advanced_filter" value=''/> + class="tpl-Settings-Workflows-Step2 form-horizontal"> + <input type="hidden" name="module" value="Workflows" /> + <input type="hidden" name="action" value="Save" /> + <input type="hidden" name="parent" value="Settings" /> + <input type="hidden" class="step" value="2" /> + <input type="hidden" name="summary" value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('summary'))}" /> + <input type="hidden" name="record" value="{$WORKFLOW_MODEL->get('record')|escape}" /> + <input type="hidden" name="module_name" value="{$WORKFLOW_MODEL->get('module_name')|escape}" /> + <input type="hidden" name="execution_condition" value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('execution_condition'))}" /> + <input type="hidden" name="conditions" id="advanced_filter" value='' /> <input type="hidden" id="olderConditions" - value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('conditions')))}"/> - <input type="hidden" name="filtersavedinnew" value="{$WORKFLOW_MODEL->get('filtersavedinnew')}"/> - <input type="hidden" name="schtypeid" value="{$WORKFLOW_MODEL->get('schtypeid')}"/> - <input type="hidden" name="schtime" value="{$WORKFLOW_MODEL->get('schtime')}"/> - <input type="hidden" name="schdate" value="{$WORKFLOW_MODEL->get('schdate')}"/> - <input type="hidden" name="params" value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('params'))}"/> + value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('conditions')))}" /> + <input type="hidden" name="filtersavedinnew" value="{$WORKFLOW_MODEL->get('filtersavedinnew')|escape}" /> + <input type="hidden" name="schtypeid" value="{$WORKFLOW_MODEL->get('schtypeid')|escape}" /> + <input type="hidden" name="schtime" value="{$WORKFLOW_MODEL->get('schtime')|escape}" /> + <input type="hidden" name="schdate" value="{$WORKFLOW_MODEL->get('schdate')|escape}" /> + <input type="hidden" name="params" value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('params'))}" /> <input type="hidden" name="schdayofweek" - value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('schdayofweek')))}"/> + value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('schdayofweek')))}" /> <input type="hidden" name="schdayofmonth" - value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('schdayofmonth')))}"/> + value="{\App\Purifier::encodeHtml(\App\Json::encode($WORKFLOW_MODEL->get('schdayofmonth')))}" /> <input type="hidden" name="schannualdates" - value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('schannualdates'))}"/> + value="{\App\Purifier::encodeHtml($WORKFLOW_MODEL->get('schannualdates'))}" /> {if $WORKFLOW_MODEL->get('execution_condition') eq \VTWorkflowManager::$ON_SCHEDULE && $WORKFLOW_MODEL->getParams('iterationOff')} <div class="alert alert-info"> {\App\Language::translate('LBL_WORKFLOW_RESTRICTION_OFF_ALERT',$QUALIFIED_MODULE)} @@ -42,26 +43,27 @@ {\App\Language::translate('LBL_CREATED_IN_OLD_LOOK_CANNOT_BE_EDITED',$QUALIFIED_MODULE)} </div> <div class=""> - <span class="col-md-6"><input type="radio" name="conditionstype" class="alignMiddle" checked=""/> <span - class="alignMiddle">{\App\Language::translate('LBL_USE_EXISTING_CONDITIONS',$QUALIFIED_MODULE)}</span></span> + <span class="col-md-6"><input type="radio" name="conditionstype" class="alignMiddle" checked="" /> <span + class="alignMiddle">{\App\Language::translate('LBL_USE_EXISTING_CONDITIONS',$QUALIFIED_MODULE)}</span></span> <span class="col-md-6"><input type="radio" id="enableAdvanceFilters" name="conditionstype" - class="alignMiddle recreate"/> <span - class="alignMiddle">{\App\Language::translate('LBL_RECREATE_CONDITIONS',$QUALIFIED_MODULE)}</span></span> + class="alignMiddle recreate" /> <span + class="alignMiddle">{\App\Language::translate('LBL_RECREATE_CONDITIONS',$QUALIFIED_MODULE)}</span></span> </div> - <br/> + <br /> {/if} <div id="advanceFilterContainer" {if $IS_FILTER_SAVED_NEW == false} class="zeroOpacity js-conditions-container padding1per" {else} class="row js-conditions-container padding1per" {/if} data-js="container"> <h5 class="padding-bottom1per col-md-10"> - <strong>{\App\Language::translate('LBL_CHOOSE_FILTER_CONDITIONS',$MODULE)}</strong></h5> + <strong>{\App\Language::translate('LBL_CHOOSE_FILTER_CONDITIONS',$MODULE)}</strong> + </h5> <div class="col-md-10"> {include file=\App\Layout::getTemplatePath('AdvanceFilter.tpl') RECORD_STRUCTURE=$RECORD_STRUCTURE} </div> {include file=\App\Layout::getTemplatePath('FieldExpressions.tpl', $QUALIFIED_MODULE) EXECUTION_CONDITION=$WORKFLOW_MODEL->get('execution_condition')} </div> </div> {/if} - <br/> + <br /> <div class="float-right"> <button class="btn btn-secondary backStep mr-1" type="button"> <strong> @@ -82,6 +84,6 @@ </strong> </button> </div> - <br/><br/> + <br /><br /> </form> {/strip}
layouts/basic/modules/Settings/Workflows/Step3.tpl+6 −5 modified@@ -5,28 +5,29 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. +* Contributor(s): YetiForce S.A. *************************************************************************************} {strip} <form name="EditWorkflow" action="index.php" method="post" id="workflow_step3" class="tpl-Settings-Workflows-Step3 form-horizontal"> - <input type="hidden" name="module" value="Workflows"/> - <input type="hidden" name="record" value="{$RECORD}"/> - <input type="hidden" class="step" value="3"/> + <input type="hidden" name="module" value="Workflows" /> + <input type="hidden" name="record" value="{$RECORD}" /> + <input type="hidden" class="step" value="3" /> <div class="btn-group"> <a class="btn dropdown-toggle btn-light addButton" data-toggle="dropdown" href="#"> <strong>{\App\Language::translate('LBL_ADD_TASK',$QUALIFIED_MODULE)}</strong> </a> <ul class="dropdown-menu"> {foreach from=$TASK_RECORDS item=TASK_RECORD} <li><a class="u-cursor-pointer dropdown-item" - data-url="{$TASK_RECORD->getEditViewUrl()}">{\App\Language::translate($TASK_RECORD->getTaskType()->get('label'), $QUALIFIED_MODULE)}</a> + data-url="{$TASK_RECORD->getEditViewUrl()|escape}">{\App\Language::translate($TASK_RECORD->getTaskType()->get('label'), $QUALIFIED_MODULE)}</a> </li> {/foreach} </ul> </div> <div id="taskListContainer"> {include file=\App\Layout::getTemplatePath('TasksList.tpl', $QUALIFIED_MODULE)} </div> - <br/> + <br /> <div class="float-right"> <button class="btn btn-secondary backStep mr-1" type="button"> <strong>
layouts/basic/modules/Settings/Workflows/TasksList.tpl+4 −4 modified@@ -22,22 +22,22 @@ {foreach from=$TASK_LIST item=TASK} <tr class="listViewEntries js-workflow-task" data-id="{$TASK->getId()}"> <td width="10%"> - <a class="px-2 u-cursor-move js-drag" data-js="ui-sortable-handle"><img class="align-baseline" src="{\App\Layout::getImagePath('drag.png')}" title="{\App\Language::translate('LBL_DRAG',$QUALIFIED_MODULE)}" /></a> <input type="checkbox" class="taskStatus" data-statusurl="{$TASK->getChangeStatusUrl()}" {if $TASK->isActive()} checked="" {/if} /> + <a class="px-2 u-cursor-move js-drag" data-js="ui-sortable-handle"><img class="align-baseline" src="{\App\Layout::getImagePath('drag.png')}" title="{\App\Language::translate('LBL_DRAG',$QUALIFIED_MODULE)}" /></a> <input type="checkbox" class="taskStatus" data-statusurl="{$TASK->getChangeStatusUrl()|escape}" {if $TASK->isActive()} checked="" {/if} /> </td> <td width="30%">{\App\Language::translate($TASK->getTaskType()->getLabel(),$QUALIFIED_MODULE)}</td> - <td width="60%">{$TASK->getName()} + <td width="60%">{\App\Purifier::encodeHtml($TASK->getName())} <div class="float-right actions"> <span class="actionImages"> {if $TASK->isEditable()} - <a data-url="{$TASK->getEditViewUrl()}"> + <a data-url="{$TASK->getEditViewUrl()|escape}"> <span class="yfi yfi-full-editing-view" title="{\App\Language::translate('LBL_EDIT',$QUALIFIED_MODULE)}"></span> </a> {else} <div class="js-popover-tooltip mr-2 d-inline text-danger" data-js="popover" data-content="{\App\Purifier::encodeHtml(App\Language::translate('LBL_ERROR_DELETE_ENTRY', $QUALIFIED_MODULE))}"> <span class="fas fa-info-circle"></span> </div> {/if} - <a class="deleteTask" data-deleteurl="{$TASK->getDeleteActionUrl()}"> + <a class="deleteTask" data-deleteurl="{$TASK->getDeleteActionUrl()|escape}"> <span class="fas fa-trash-alt" title="{\App\Language::translate('LBL_DELETE',$QUALIFIED_MODULE)}"></span> </a> </span>
modules/Settings/Workflows/actions/TaskAjax.php+5 −5 modified@@ -96,9 +96,9 @@ public function changeStatusAllTasks(App\Request $request) */ public function save(App\Request $request) { - $workflowId = $request->get('for_workflow'); + $workflowId = !$request->isEmpty('for_workflow') ? $request->getInteger('for_workflow') : 0; if (!empty($workflowId)) { - $record = $request->get('task_id'); + $record = !$request->isEmpty('task_id') ? $request->getInteger('task_id') : 0; if ($record) { $taskRecordModel = Settings_Workflows_TaskRecord_Model::getInstance($record); $taskObject = $taskRecordModel->getTaskObject(); @@ -108,7 +108,7 @@ public function save(App\Request $request) $taskObject = $taskRecordModel->getTaskObject(); $taskObject->sequence = $taskRecordModel->getNextSequenceNumber($workflowId); } - $taskObject->summary = htmlspecialchars($request->get('summary')); + $taskObject->summary = \App\Purifier::decodeHtml($request->getByType('summary', \App\Purifier::TEXT)); $active = $request->get('active'); if ('true' == $active) { @@ -121,7 +121,7 @@ public function save(App\Request $request) if (!empty($checkSelectDate)) { $trigger = [ 'days' => ('after' == $request->get('select_date_direction') ? 1 : -1) * (int) $request->get('select_date_days'), - 'field' => $request->get('select_date_field'), + 'field' => $request->getByType('select_date_field', \App\Purifier::ALNUM), ]; $taskObject->trigger = $trigger; } else { @@ -143,7 +143,7 @@ public function save(App\Request $request) $taskObject->{$fieldName} = \App\Json::encode($values); } else { - $taskObject->{$fieldName} = $request->getRaw($fieldName); + $taskObject->{$fieldName} = \App\Purifier::decodeHtml($request->getByType($fieldName, \App\Purifier::TEXT)); } } elseif (isset($fieldNamesRequestMethods[$fieldName])) { $taskObject->{$fieldName} = $request->{$fieldNamesRequestMethods[$fieldName]}($fieldName);
modules/Settings/Workflows/views/EditTask.php+0 −12 modified@@ -129,19 +129,7 @@ public function process(App\Request $request) $viewer->assign('WORKFLOW_MODEL', $workflowModel); $viewer->assign('TASK_MODEL', $taskModel); $viewer->assign('CURRENTDATE', date('Y-n-j')); - // Adding option Line Item block for Individual tax mode - $individualTaxBlockLabel = \App\Language::translate('LBL_LINEITEM_BLOCK_GROUP', $qualifiedModuleName); - $individualTaxBlockValue = $viewer->view('LineItemsGroupTemplate.tpl', $qualifiedModuleName, true); - // Adding option Line Item block for group tax mode - $groupTaxBlockLabel = \App\Language::translate('LBL_LINEITEM_BLOCK_INDIVIDUAL', $qualifiedModuleName); - $groupTaxBlockValue = $viewer->view('LineItemsIndividualTemplate.tpl', $qualifiedModuleName, true); - - $templateVariables = [ - $individualTaxBlockValue => $individualTaxBlockLabel, - $groupTaxBlockValue => $groupTaxBlockLabel, - ]; - $viewer->assign('TEMPLATE_VARIABLES', $templateVariables); $viewer->assign('TASK_OBJECT', $taskObject); $viewer->assign('FIELD_EXPRESSIONS', Settings_Workflows_Module_Model::getExpressions()); $userModel = \App\User::getCurrentUserModel();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qwc8-vjh3-gm2jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3004ghsaADVISORY
- github.com/yetiforcecompany/yetiforcecrm/commit/cd82ecce44d83f1f6c10c7766bf36f3026de024aghsax_refsource_MISCWEB
- huntr.dev/bounties/461e5f8f-17cf-4be4-9149-111d0bd92d14ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.