Skip to content
Snippets Groups Projects
Commit 133da98d authored by colemanw's avatar colemanw
Browse files

Move all escaping from Ajax callback to api CRM-12765

parent dd64a29c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
CRM/Contact/Page/AJAX.php
+ 26
41
View file @ 133da98d
...@@ -44,17 +44,22 @@ class CRM_Contact_Page_AJAX { ...@@ -44,17 +44,22 @@ class CRM_Contact_Page_AJAX {
$params = array('version' => 3, 'check_permissions' => TRUE); $params = array('version' => 3, 'check_permissions' => TRUE);
if ($context = CRM_Utils_Array::value('context', $_GET)) { // String params
$params['context'] = CRM_Utils_Type::escape($_GET['context'], 'String'); // FIXME: param keys don't match input keys, using this array to translate
} $whitelist = array(
's' => 'name',
if (!empty($_GET['s'])) { 'fieldName' => 'field_name',
$params['name'] = $_GET['s']; 'tableName' => 'table_name',
'context' => 'context',
);
foreach ($whitelist as $key => $param) {
if (!empty($_GET[$key])) {
$params[$param] = $_GET[$key];
}
} }
//CRM-10687: Allow quicksearch by multiple fields //CRM-10687: Allow quicksearch by multiple fields
if (!empty($_GET['fieldName'])) { if (!empty($params['field_name'])) {
$params['field_name'] = $_GET['fieldName'];
if ($params['field_name'] == 'phone_numeric') { if ($params['field_name'] == 'phone_numeric') {
$params['name'] = preg_replace('/[^\d]/', '', $params['name']); $params['name'] = preg_replace('/[^\d]/', '', $params['name']);
} }
...@@ -63,39 +68,19 @@ class CRM_Contact_Page_AJAX { ...@@ -63,39 +68,19 @@ class CRM_Contact_Page_AJAX {
} }
} }
if (!empty($_GET['tableName'])) { // Numeric params
$params['table_name'] = $_GET['tableName']; $whitelist = array(
} 'limit',
'org',
$params['limit'] = 10; 'employee_id',
if (CRM_Utils_Array::value('limit', $_GET)) { 'cid',
$params['limit'] = CRM_Utils_Type::escape($_GET['limit'], 'Positive'); 'id',
} 'cmsuser',
);
$orgId = $employee_id = $cid = $id = $context = $rel = NULL; foreach ($whitelist as $key) {
$params['org'] = CRM_Utils_Array::value('org', $_GET); if (!empty($_GET[$key]) && is_numeric($_GET[$key])) {
if (CRM_Utils_Array::value('id', $_GET)) { $params[$key] = $_GET[$key];
$params['orgId'] = CRM_Utils_Type::escape($_GET['id'], 'Positive'); }
}
if (CRM_Utils_Array::value('employee_id', $_GET)) {
$params['employee_id'] = CRM_Utils_Type::escape($_GET['employee_id'], 'Positive');
}
if (CRM_Utils_Array::value('cid', $_GET)) {
$params['cid'] = CRM_Utils_Type::escape($_GET['cid'], 'Positive');
}
if (CRM_Utils_Array::value('id', $_GET)) {
$params['id'] = CRM_Utils_Type::escape($_GET['id'], 'Positive');
}
if (isset($_GET['rel'])) {
$params['rel'] = $_GET['rel'];
}
if (CRM_Utils_Array::value('cmsuser', $_GET)) {
$params['cmsuser'] = CRM_Utils_Type::escape($_GET['cmsuser'], 'Boolean');
} }
$result = civicrm_api('Contact', 'getquick', $params); $result = civicrm_api('Contact', 'getquick', $params);
......
api/v3/Contact.php
+ 6
5
View file @ 133da98d
...@@ -604,7 +604,7 @@ function civicrm_api3_contact_getquick($params) { ...@@ -604,7 +604,7 @@ function civicrm_api3_contact_getquick($params) {
if ($value != 'id') { if ($value != 'id') {
$suffix = 'cc'; $suffix = 'cc';
if (!empty($params['field_name']) && $params['field_name'] == 'value') { if (!empty($params['field_name']) && $params['field_name'] == 'value') {
$suffix = CRM_Utils_Array::value('table_name', $params, 'cc'); $suffix = CRM_Utils_String::munge(CRM_Utils_Array::value('table_name', $params, 'cc'));
} }
$actualSelectElements[] = $select[] = $suffix . '.' . $value; $actualSelectElements[] = $select[] = $suffix . '.' . $value;
} }
...@@ -626,7 +626,8 @@ function civicrm_api3_contact_getquick($params) { ...@@ -626,7 +626,8 @@ function civicrm_api3_contact_getquick($params) {
$selectAliases = ", $selectAliases"; $selectAliases = ", $selectAliases";
} }
$from = implode(' ', $from); $from = implode(' ', $from);
$limit = CRM_Utils_Array::value('limit', $params, 10); $limit = (int) CRM_Utils_Array::value('limit', $params);
$limit = $limit > 0 ? $limit : 10;
// add acl clause here // add acl clause here
list($aclFrom, $aclWhere) = CRM_Contact_BAO_Contact_Permission::cacheClause('cc'); list($aclFrom, $aclWhere) = CRM_Contact_BAO_Contact_Permission::cacheClause('cc');
...@@ -643,7 +644,7 @@ function civicrm_api3_contact_getquick($params) { ...@@ -643,7 +644,7 @@ function civicrm_api3_contact_getquick($params) {
$currEmpDetails = array(); $currEmpDetails = array();
if (CRM_Utils_Array::value('employee_id', $params)) { if (CRM_Utils_Array::value('employee_id', $params)) {
if ($currentEmployer = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact', if ($currentEmployer = CRM_Core_DAO::getFieldValue('CRM_Contact_DAO_Contact',
CRM_Utils_Array::value('employee_id', $params), (int) $params['employee_id'],
'employer_id' 'employer_id'
)) { )) {
if ($config->includeWildCardInName) { if ($config->includeWildCardInName) {
...@@ -768,8 +769,8 @@ LIMIT 0, {$limit} ...@@ -768,8 +769,8 @@ LIMIT 0, {$limit}
// send query to hook to be modified if needed // send query to hook to be modified if needed
CRM_Utils_Hook::contactListQuery($query, CRM_Utils_Hook::contactListQuery($query,
$name, $name,
CRM_Utils_Array::value('context', $params), empty($params['context']) ? NULL : CRM_Utils_Type::escape($params['context'], 'String'),
CRM_Utils_Array::value('id', $params) empty($params['id']) ? NULL : $params['id']
); );
$dao = CRM_Core_DAO::executeQuery($query); $dao = CRM_Core_DAO::executeQuery($query);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment