6af2c4ad0e
Escape output of WEB_TITLE, HOME_URL, HOME_CONTENT, & WEB_CONSOLE_BANNER. Fixes #2468
2019-02-09 18:06:21 -08:00
9ce05a9a09
user.php: Escape the Username upon display. Fixes #2467
2019-02-09 17:45:52 -08:00
6d2f3c265f
events.php: Remove inline event handlers and enforce CSP
2019-02-09 17:34:59 -08:00
fcbc22b6a2
functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456
2019-02-09 17:27:47 -08:00
502f53fad0
functions.php: Fix SQLi in getFormChanges
2019-02-09 17:15:02 -08:00
ef0e5f453a
monitor.php: Fix XSS from LinkedMonitors. Fixes #2463
2019-02-09 17:11:53 -08:00
9705edfe24
monitor.php: Escape monitor method. Fixes #2464
2019-02-09 17:01:45 -08:00
cef54feaf9
monitor.php: Escape a bug of output variables. Fixes #2465
2019-02-09 16:54:06 -08:00
254b7286b4
monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451
2019-02-09 16:41:54 -08:00
bb75dad091
filter.php: Escape filter query term value to avoid XSS. Fixes #2462
2019-02-09 15:35:55 -08:00
dd37808ef7
filter.php: Escape AutoExecuteCmd before output to prevent XSS. Fixes #2461
2019-02-09 15:24:13 -08:00
70e59ed546
filter.php: Escape the filter name on output. Fixes #2455
2019-02-09 15:19:15 -08:00
b2a97ee190
frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
...
Fixes #2448 , fixes #2449 , and fixes #2447 .
2019-02-09 15:10:45 -08:00
c8066919ff
functions.php: Esacepe textContent in htmlOptions()
2019-02-09 14:14:46 -08:00
7b0ee8a6a2
group: Escape group name in heading. Fixes #2454
2019-02-09 14:05:50 -08:00
fa6716a64b
console: Escape source column output to prevent XSS. Fixes #2452
2019-02-09 02:28:40 -08:00
98e0a0d2c5
Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459
2019-02-09 02:18:57 -08:00
02f09aad7f
view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443
2019-02-09 02:01:26 -08:00
61f6a92cc0
view=download: Validate the eid parameter to avoid XSS. Fixes #2442
2019-02-09 01:37:32 -08:00
0b38e72f88
view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441
2019-02-09 01:16:32 -08:00
e36ac1b872
Add a polyfill for NodeList.prototype.forEach
2019-02-08 21:54:23 -08:00
2dc935b488
added object detection frame rendering ( #2505 )
2019-02-08 13:49:00 -05:00
0eb1efff8b
fix eslint errors
2019-02-08 13:48:38 -05:00
ee3a0c1fd1
fix validateForm running on monitor cancel due to lack of type=button on cancel button
2019-02-08 09:55:32 -05:00
1039149866
fix buttons on events page. data-onclick-this to data-on-click-this
2019-02-07 08:56:48 -05:00
7e84a5914c
fix CSP policy violations on filters view
2019-02-06 13:55:19 -05:00
0783802d0c
fix CSP violations on events
2019-02-06 13:31:34 -05:00
b04b67c39d
Fix CSP violation in the onclick of the monitor view in montagereview
2019-02-06 12:17:10 -05:00
6744a9a116
Make montagereview more robust when the storage area of an event has been deleted. Add the onmouse events using javascript instead of in the html canvas element so that our CSP policy works.
2019-02-06 11:46:55 -05:00
edaf582eb4
Make montagereview more robust when the storage area of an event has been deleted. Add the onmouse events using javascript instead of in the html canvas element so that our CSP policy works.
2019-02-06 11:46:48 -05:00
8e62c93f5f
add to_json function to Storage.
2019-02-06 11:44:36 -05:00
dca9a81cfd
implement data-on-click-true
2019-02-05 16:45:05 -05:00
a40cd144fa
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-02-05 12:35:15 -05:00
c54fe7e89a
fix state actions
2019-02-05 12:35:06 -05:00
a2e04c307d
update buttons. reduce duplicated code. Make it so that users with System=View can at least see if there is an update.
2019-01-31 09:40:19 -05:00
604dbf8776
fix state changing/etc
2019-01-30 14:36:46 -05:00
7ea8be3fa8
spacing, remove non html5 elements
2019-01-25 09:22:08 -05:00
8c5687ca30
Fix name/protocol XSS in controlcaps.php. Fixes #2445 ( #2479 )
2019-01-25 08:35:07 -05:00
fd6179d7c8
Enforce CSP on many more views ( #2480 )
2019-01-25 08:34:29 -05:00
a3e8fd4fd5
Fix zones.php self-xss. Fixes #2444
2019-01-24 23:40:41 -08:00
47d8c9b066
plugin.php: Remove undefined onclick function reference and enforce CSP
...
Also fix tag closing.
2019-01-23 19:47:58 -08:00
59cc65411f
plugin.php: Fix XSS and directory traversal bugs. Fixes #2436
...
This view seems like dead code so maybe it should be removed instead.
2019-01-23 19:41:38 -08:00
e53678f869
Can't use a normal subsitution on the Order by field. So parse the sort param instead
2019-01-23 12:22:00 -05:00
6eb4d7ae27
Filter improvements ( #2438 )
...
* Put back code to close the popup when view is none
* clean up and reduce depth of some logic
* Increase width of user popup
* fix code style
* Make execute_filter work on a filter Id instead of name
* rework logic to reduce code depth. Change view to events to display the results of execute.
* Change the redirect to stay on the new view. When redirecting from executing a filter, it was redirecting to filter.
* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
4da95369f9
Fix zone area calculation ( #2437 )
...
Previous method resulted in bogus zone areas (in the range of
1000s of % of frame area) when entering points with the keyboard, even
after applying commit 4937a68650http://mathworld.wolfram.com/PolygonArea.html
It has been tested on ZoneMinder 1.32.3 and works correctly when
either entering coordinates with the keyboard or dragging points with
the mouse.
2019-01-23 10:35:18 -05:00
2914fb1d58
Update to html5, remove code to close popup (as it is taken care of in skin.js now. Use cache_bust on skin.js
2019-01-22 09:15:25 -05:00
e712cedbde
spacing and quotes
2019-01-22 09:14:44 -05:00
ae703c45ee
Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it.
2019-01-22 09:14:33 -05:00
0619a4a161
Validate cnj, obr, and cbr arguments in parseFilter ( #2434 )
2019-01-22 08:03:25 -05:00
e7e45b2d95
Remove jQuery use from top-level event listeners in skin.js since view=none doesn't have $j ( #2433 )
2019-01-22 08:00:39 -05:00
785c208ecf
Fixes #2426 . Ca should have been endTime
2019-01-21 12:01:46 -05:00
326ac60ae4
add missing braces to fix logic
2019-01-21 11:20:56 -05:00
a2d4dc974b
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-21 11:19:07 -05:00
e663397816
spacing
2019-01-21 11:17:21 -05:00
c6311b7079
When logging in, stay on the login view
2019-01-21 11:17:09 -05:00
fbc236128e
add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00
2019-01-21 11:16:14 -05:00
b24b930f65
After login go to postlogin, not console. the login view is in a popup so we want to close
2019-01-21 11:15:36 -05:00
19c272061a
Replace MooTools usage for adding window event listeners ( #2429 )
2019-01-21 11:14:32 -05:00
27bcf3f994
Upgrade jQuery version ( #2430 )
...
* Upgrade jQuery to 1.12.4
* Upgrade jQuery to 2.2.4; Stop support for IE8
* 2.2.4 is compatible with 1.12.4
* This fixes a CSP violation on every page load due to jQuery testing of focusin support with a hidden element.
2019-01-21 11:13:40 -05:00
f0b33145f5
Log CSP violations in ZM logs in supported browsers ( #2431 )
2019-01-21 11:12:17 -05:00
d7ebc85d81
Replace remaining `console` inline event handlers ( #2432 )
...
* Use a hidden submit button in _monitor_filters rather than onkeydown
* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
f69b77e38f
fix eslint complaints
2019-01-19 12:40:17 -05:00
a1a42345e3
More eslint fixes; eslint in php; add eslint to travis ( #2419 )
...
* Add eslint to travis.yml
* Update eslint package versions and apply new indent rules
* Enable the brace-style and block-style eslint rules
* Enable the 'curly' eslint rule
* Enable the 'keyword-spacing' eslint rule
* Enable the 'key-spacing' eslint rule
* Enable the 'object-curly-spacing' eslint rule
* Enable the 'no-new-object' eslint rule
* Only disable the no-caller eslint rule in the one affected file
* Enable the 'no-unused-vars' eslint rule for local variables
* Add linting of JS in .php files
2019-01-19 10:32:40 -05:00
35fb4366b6
Fix recaptcha support with the CSP ( #2420 )
2019-01-19 09:47:04 -05:00
c0a6e54d60
skins/classic/views/control.php second order sqli ( #2422 )
2019-01-19 09:46:21 -05:00
02fd1e79b3
Fix ajax/status.php orderby sql injection ( #2421 )
...
https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-276-orderby-sql-injection
2019-01-19 09:46:08 -05:00
34e2e47993
controlcap.php: Reflected xss fix with validHtmlStr ( #2423 )
2019-01-19 09:43:28 -05:00
d3f8037e58
Replace onclick='submitTab(...' with a click listener ( #2424 )
2019-01-19 09:42:12 -05:00
4e48939660
Add a validateForm event listener and enforce CSP on some views ( #2425 )
...
* Add a validateForm event listener and enforce CSP on the controlcap view
* filter.php: Use .validateFormOnSubmit
* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check
* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
43a1725060
Fix duplicate 'class' attribute in options ( #2418 )
2019-01-18 10:05:44 -05:00
eef113b6a7
Convert some characters to HTML entities ( #2417 )
2019-01-18 10:02:48 -05:00
deaf651aad
Fix eslint violations ( #2416 )
...
* Add more JS libraries to eslintignore
* eslint . --fix
Automatic fixes only
* frame.js: eslint fixes
* events.js: manual eslint fixes
* skin.js: manual eslint fixes
* watch.js: manual eslint fixes
* Remove some tabs used for indentation in JS
* state.js: Fix new-cap eslint violation
* Disable guard-for-in eslint rule to get everything passing
2019-01-18 10:00:55 -05:00
6bb5aa1b87
More inline JS / nonce conversions ( #2415 )
...
* monitor.php: Add nonce and move <script> inside </body>
* export_functions.php: Untested: Add @nonce to <script>
* blank.php: Add @nonce to <script> and add to CSP enforced views
* Enforce CSP on login and privacy views
* group.php: Add nonce and move <script> inside </body>
* filter.php: Add @nonce to <script>
* Fix updateButtons argument on the filter page upon change and page load
* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
599769b701
rework logic of functions to be more verbose about errors. Implement javascript Nonce support when view=none
2019-01-17 08:50:33 -05:00
1f3da476b8
switch to single quotes
2019-01-16 14:04:24 -05:00
b1cc0c2b82
add CSP nonce to CSRF rewriting
2019-01-16 14:04:07 -05:00
a7db6f08f5
single vs double quotes
2019-01-16 13:47:50 -05:00
42076ad09b
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-16 13:46:01 -05:00
a2c23d3263
Need nonce in inline script setting display css
2019-01-16 13:45:26 -05:00
d8ef33396a
If multi-port is on, we need to output CORS headers
2019-01-16 13:44:57 -05:00
e156a6cda0
logout view should go to logout view
2019-01-16 12:23:18 -05:00
ba21820fd0
fix typo
2019-01-16 12:10:34 -05:00
eee1d871e0
get rid of default value for PathToIndex so that it will use PHP_SELF instead
2019-01-16 12:09:26 -05:00
d33fec9c3f
Add a CSP script-src policy with nonce-source and convert more inline event handlers ( #2413 )
...
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy
* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'
Only handle ones that don't return a value.
* Use @data-on-click to attach inline click event handlers with no args and no return value
* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument
* Enforce a script-src CSP on views without inline JS
* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
fd696bc066
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-15 11:38:56 -05:00
ac27005944
remove debug
2019-01-15 11:38:43 -05:00
07c7c271a6
prevent error when event has no frames. Fix PathToIndex() -> PathToIndex. Fixes #2411
2019-01-15 11:38:19 -05:00
3182d8bab7
implement to_json method so that defaults get included
2019-01-15 11:36:56 -05:00
07d8ac1d49
implement timezone check function ( #2387 )
...
* implement timezone check function
* remove comment
* also check if the timezone is valid
* whitespace
2019-01-15 09:05:11 -05:00
083f284599
Replace onclick inline event handlers for createPopup ( #2410 )
...
* Move <script> before </body>
* Change makePopupLink to not use onclick
* Change makePopupButton to not use onclick
* Use .popup-link in control_functions.php
* Use makePopupButton in controlcaps.php
* Prevent double-encoding in makePopup*
* Use makePopupButton in devices.php
* Use makePopupButton in logout.php
* Use makePopupLink in monitor.php
* Use makePopupLink and .popup-link in montage.php
* Use makePopupButton in options.php
* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
c834fbe462
the filter action should singular filter, not filters
2019-01-13 14:52:39 -05:00
a282b487d1
load Help from Config as it is not longer always loaded into ram.
2019-01-11 13:55:03 -05:00
b373577589
fix function view after actions cleanup
2019-01-10 12:08:25 -05:00
1d54216e80
spacing
2019-01-09 16:23:58 -05:00
c1e4fbac6a
extend input path and options to the full width of the popup
2019-01-09 12:37:42 -05:00
2d03583b78
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-08 13:12:42 -05:00
ffa37d8c10
Fix margins on replayControl
2019-01-08 13:12:35 -05:00
3f5a2a2aa6
disable delete button when event is archived.
2019-01-07 15:56:23 -05:00
b4f8500cb5
Merge branch 'split_actions'
2019-01-05 18:33:04 -05:00
3f10553464
Fix include path to Monitors.php
2019-01-05 18:32:53 -05:00
Matthew Noorenberghe
Pliable Pixels
Isaac Connor
Isaac Connor
montagdude
Andrew Bauer