Matthew Noorenberghe
effd609ff7
Escape output of state names. Fixes #2475
2019-02-09 20:40:08 -08:00
Matthew Noorenberghe
d7ede4643d
_monitor_filters.php: Escape MonitorName and Source. Fixes #2457
2019-02-09 19:14:31 -08:00
Matthew Noorenberghe
255806bd54
log.js: Escape HTML to be shown in the log HtmlTable. Fixes #2453
2019-02-09 18:43:55 -08:00
Matthew Noorenberghe
6af2c4ad0e
Escape output of WEB_TITLE, HOME_URL, HOME_CONTENT, & WEB_CONSOLE_BANNER. Fixes #2468
2019-02-09 18:06:21 -08:00
Matthew Noorenberghe
9ce05a9a09
user.php: Escape the Username upon display. Fixes #2467
2019-02-09 17:45:52 -08:00
Matthew Noorenberghe
6d2f3c265f
events.php: Remove inline event handlers and enforce CSP
2019-02-09 17:34:59 -08:00
Matthew Noorenberghe
ef0e5f453a
monitor.php: Fix XSS from LinkedMonitors. Fixes #2463
2019-02-09 17:11:53 -08:00
Matthew Noorenberghe
9705edfe24
monitor.php: Escape monitor method. Fixes #2464
2019-02-09 17:01:45 -08:00
Matthew Noorenberghe
cef54feaf9
monitor.php: Escape a bug of output variables. Fixes #2465
2019-02-09 16:54:06 -08:00
Matthew Noorenberghe
254b7286b4
monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451
2019-02-09 16:41:54 -08:00
Matthew Noorenberghe
bb75dad091
filter.php: Escape filter query term value to avoid XSS. Fixes #2462
2019-02-09 15:35:55 -08:00
Matthew Noorenberghe
dd37808ef7
filter.php: Escape AutoExecuteCmd before output to prevent XSS. Fixes #2461
2019-02-09 15:24:13 -08:00
Matthew Noorenberghe
70e59ed546
filter.php: Escape the filter name on output. Fixes #2455
2019-02-09 15:19:15 -08:00
Matthew Noorenberghe
b2a97ee190
frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
...
Fixes #2448 , fixes #2449 , and fixes #2447 .
2019-02-09 15:10:45 -08:00
Matthew Noorenberghe
7b0ee8a6a2
group: Escape group name in heading. Fixes #2454
2019-02-09 14:05:50 -08:00
Matthew Noorenberghe
fa6716a64b
console: Escape source column output to prevent XSS. Fixes #2452
2019-02-09 02:28:40 -08:00
Matthew Noorenberghe
02f09aad7f
view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443
2019-02-09 02:01:26 -08:00
Matthew Noorenberghe
61f6a92cc0
view=download: Validate the eid parameter to avoid XSS. Fixes #2442
2019-02-09 01:37:32 -08:00
Matthew Noorenberghe
0b38e72f88
view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441
2019-02-09 01:16:32 -08:00
Matthew Noorenberghe
e36ac1b872
Add a polyfill for NodeList.prototype.forEach
2019-02-08 21:54:23 -08:00
Isaac Connor
0eb1efff8b
fix eslint errors
2019-02-08 13:48:38 -05:00
Isaac Connor
ee3a0c1fd1
fix validateForm running on monitor cancel due to lack of type=button on cancel button
2019-02-08 09:55:32 -05:00
Isaac Connor
1039149866
fix buttons on events page. data-onclick-this to data-on-click-this
2019-02-07 08:56:48 -05:00
Isaac Connor
7e84a5914c
fix CSP policy violations on filters view
2019-02-06 13:55:19 -05:00
Isaac Connor
0783802d0c
fix CSP violations on events
2019-02-06 13:31:34 -05:00
Isaac Connor
b04b67c39d
Fix CSP violation in the onclick of the monitor view in montagereview
2019-02-06 12:17:10 -05:00
Isaac Connor
6744a9a116
Make montagereview more robust when the storage area of an event has been deleted. Add the onmouse events using javascript instead of in the html canvas element so that our CSP policy works.
2019-02-06 11:46:55 -05:00
Isaac Connor
edaf582eb4
Make montagereview more robust when the storage area of an event has been deleted. Add the onmouse events using javascript instead of in the html canvas element so that our CSP policy works.
2019-02-06 11:46:48 -05:00
Isaac Connor
dca9a81cfd
implement data-on-click-true
2019-02-05 16:45:05 -05:00
Isaac Connor
a40cd144fa
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-02-05 12:35:15 -05:00
Isaac Connor
c54fe7e89a
fix state actions
2019-02-05 12:35:06 -05:00
Isaac Connor
a2e04c307d
update buttons. reduce duplicated code. Make it so that users with System=View can at least see if there is an update.
2019-01-31 09:40:19 -05:00
Isaac Connor
604dbf8776
fix state changing/etc
2019-01-30 14:36:46 -05:00
Isaac Connor
7ea8be3fa8
spacing, remove non html5 elements
2019-01-25 09:22:08 -05:00
Matt N
8c5687ca30
Fix name/protocol XSS in controlcaps.php. Fixes #2445 ( #2479 )
2019-01-25 08:35:07 -05:00
Matthew Noorenberghe
a3e8fd4fd5
Fix zones.php self-xss. Fixes #2444
2019-01-24 23:40:41 -08:00
Matthew Noorenberghe
47d8c9b066
plugin.php: Remove undefined onclick function reference and enforce CSP
...
Also fix tag closing.
2019-01-23 19:47:58 -08:00
Matthew Noorenberghe
59cc65411f
plugin.php: Fix XSS and directory traversal bugs. Fixes #2436
...
This view seems like dead code so maybe it should be removed instead.
2019-01-23 19:41:38 -08:00
Isaac Connor
6eb4d7ae27
Filter improvements ( #2438 )
...
* Put back code to close the popup when view is none
* clean up and reduce depth of some logic
* Increase width of user popup
* fix code style
* Make execute_filter work on a filter Id instead of name
* rework logic to reduce code depth. Change view to events to display the results of execute.
* Change the redirect to stay on the new view. When redirecting from executing a filter, it was redirecting to filter.
* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
montagdude
4da95369f9
Fix zone area calculation ( #2437 )
...
Previous method resulted in bogus zone areas (in the range of
1000s of % of frame area) when entering points with the keyboard, even
after applying commit 4937a68650
. This
change implements the method here:
http://mathworld.wolfram.com/PolygonArea.html
It has been tested on ZoneMinder 1.32.3 and works correctly when
either entering coordinates with the keyboard or dragging points with
the mouse.
2019-01-23 10:35:18 -05:00
Isaac Connor
2914fb1d58
Update to html5, remove code to close popup (as it is taken care of in skin.js now. Use cache_bust on skin.js
2019-01-22 09:15:25 -05:00
Isaac Connor
e712cedbde
spacing and quotes
2019-01-22 09:14:44 -05:00
Matt N
0619a4a161
Validate cnj, obr, and cbr arguments in parseFilter ( #2434 )
2019-01-22 08:03:25 -05:00
Matt N
e7e45b2d95
Remove jQuery use from top-level event listeners in skin.js since view=none doesn't have $j ( #2433 )
2019-01-22 08:00:39 -05:00
Isaac Connor
785c208ecf
Fixes #2426 . Ca should have been endTime
2019-01-21 12:01:46 -05:00
Isaac Connor
a2d4dc974b
Merge branch 'master' of github.com:ZoneMinder/ZoneMinder
2019-01-21 11:19:07 -05:00
Isaac Connor
e663397816
spacing
2019-01-21 11:17:21 -05:00
Isaac Connor
c6311b7079
When logging in, stay on the login view
2019-01-21 11:17:09 -05:00
Matt N
19c272061a
Replace MooTools usage for adding window event listeners ( #2429 )
2019-01-21 11:14:32 -05:00
Matt N
27bcf3f994
Upgrade jQuery version ( #2430 )
...
* Upgrade jQuery to 1.12.4
* Upgrade jQuery to 2.2.4; Stop support for IE8
* 2.2.4 is compatible with 1.12.4
* This fixes a CSP violation on every page load due to jQuery testing of focusin support with a hidden element.
2019-01-21 11:13:40 -05:00