⚠ In case you've missed it, we have migrated to our new website, with a brand new forum. For more details about the migration you can read our blog post for website migration. This is an archived forum. ⚠

  •     

profile picture

Export functionallity - fix XML macro injection

Started by , 28 September 2016 - 08:12 AM


reuven
  • profile picture
  • Member

Posted 28 September 2016 - 08:12 AM

File: Grocery_CRUD.php (version 1.5.4)

Function: _export_to_excel

 

This row is used to add data to the final xml file.

$string_to_export .= $this->_trim_export_string($row->{$column->field_name})."\t";

 

There is no sanitation for the export data.

 

I added this function to sanitize xls special characters:

protected function _escape_xml($str){

$str = str_replace('<', '&#60;', $str);
$str = str_replace('>', '&#62;', $str);
$str = str_replace('&', '&#38;', $str);
$str = str_replace("'", '&#39;', $str);
$str = str_replace('"', '&#34;', $str);
$str = str_replace('%', '&#37;', $str);
$str = str_replace(';', '&#59;', $str);
$str = str_replace('(', '&#40;', $str);
$str = str_replace(')', '&#41;', $str);
$str = str_replace('+', '&#43;', $str);
$str = str_replace('|', '&#124;', $str);
return $str;
}

 

 

And changed the above line to:

 

$string_to_export .= $this->_trim_export_string($this->_escape_xml($row->{$column->field_name}))."\t";