In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Stored XSS.


**Mend Vulnerability Database**

Mend Vulnerability Lab is where you can find the information that you need about open source security vulnerabilities, aggregated by Mend’s comprehensive open source vulnerabilities database from hundreds of both popular and under-the-radar community resources.

The Mend open source vulnerabilities database covers over 200 programming languages and over 3 million open source components. It aggregates information from a variety of sources including the NVD, security advisories, and open source project issue trackers, multiple times a day.

We’re here to help you find and fix open source security vulnerabilities, and provide you with all of the data that you need in order to address open source vulnerabilities, including:

*   Programming language
*   CWE type
*   CVSS Severity scores, including CVSS v2.0 and v3.x
*   Exposure level (how many organizations have been impacted)
*   Verified suggested fixes
*   The low-down from the community
*   Additional info to help make informed remediation decisions

CVE-2022-32159: Open Source Vulnerability Database | Mend

In openlibrary versions deploy-2016-07-0 through deploy-2021-12-22 are vulnerable to Reflected XSS. 

CVE-2022-23081: Open Source Vulnerability Database | Mend

### Impact
Authenticated Stored XSS in Administration

### Patches
We recommend updating to version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/de/changelog-sw5/#5-7-12

For older versions you can use the Security Plugin:
https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html


### References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022

**Authenticated Stored Cross-site Scripting in Shopware**

Moderate severity GitHub Reviewed Published Jun 22, 2022 in shopware/shopware

GHSA-q754-vwc4-p6qj: Authenticated Stored Cross-site Scripting in Shopware

WordPress Download Manager plugin versions 3.2.43 and below suffer from a cross site scripting vulnerability.

Change Mirror Download

    Exploit Title: Download Manager Cross-Site ScriptingDate: 2022-06-16Exploit Author :  Andrea BocchettiVendor Homepage : https://wordpress.org/plugins/download-manager/Version :  <= 3.2.43Tested on: windowsCVE :  CVE-2022-2101######## Description ######### 1-) Login in the plugin page# 2-) add the xss payload in the field "Insert URL"# 3-) Click on the link , the JS code will be interpreted.

WordPress Download Manager 3.2.43 Cross Site Scripting

Zoo Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)# Date: 06/22/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP on Windows 10 # CVE: CVE-2022-31897# Description:Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.# Impact:An attacker could steal cookies with a crafted URL sent to the victims.# Exploit:Visit the following page: 1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>2) Alert pop up is fired!# Image poc:https://ibb.co/8XKDgJX -> Registration pagehttps://ibb.co/mTTmTmy -> XSS

Zoo Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2022-5152-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5152-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5152  
Issue date:        2022-06-22  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016  
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036  
====================================================================  
1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.5.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allows a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrLob9zjgjWX9erEAQhsxw/9EbM8BdLUASvR5jVTtZeDXjOavkH9ob65  
/W+vtrpycWaOGKLm0sVZDnH9Y/iNy5io1vbTp3qseFXzCJVSnOrBmPc21VLHpCnJ  
mZ/apMKfS4HONdDqEOlwxFXPyZfp4M8ms7XdEKxEyabBdL5deL/ZhOzg1nbUWXwy  
JdDrll9oGk9HsUFqaVyM7+tOsT+a0g7SliFoXFDDF684W3JI6uL3y6ejKEEiBXOd  
649AoBnIaGyNT37BK/JaItpJj3EhmhavBs5OILDdrIzvBsjIBtVfyPNMfRjrzCEB  
qAa9CRfUT3daBK9bdx3P5X8MDXGlXEUKOOJGTwlCSk6d/mshET9AWKaJNyOdRxHJ  
U1MPlspWjb+ADXqCNB3zaQgmOaPj4lYsT9dT738JHtW+VIUAGs+KVsslizIAV9uF  
KZkJIrPqL5g9hQN4lt2uB3iLC0e1prSSZsXZLXCLFcxXObLUYV83ChFBJxaEGmMl  
VeFmgasL0LkhbH/9O4taHdwRRqMCOTshQE4N8jfqyo2jA2clPAua0vE840qSNz03  
2aEi/5J7oGV/z1wuZtklTTJGBVs2qGkhdYvqAF2wKkXPEhaoWyqhUn1dqnjGIrk+  
JJ43POziAdewPlIKN4OBkPgfTjfGWW5wy/RkMnTLtamObkF5AANQF7a8D4TcCdod  
UfPGO4T/krI=jReJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5152-01

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.

Permalink

Browse files

fix(login): catch double-slash exploit

*   Loading branch information

SabreCat committed

May 20, 2022

1 parent 980e358 commit 5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f

Showing **1 changed file** with **2 additions** and **2 deletions**.

@@ -757,8 +757,8 @@ export default {

}, 500),

sanitizeRedirect (redirect) {

if (!redirect) return '/';

let sanitizedString \= DOMPurify.sanitize(redirect);

if (sanitizedString.slice(0, 1) !== '/') sanitizedString \= \`/${sanitizedString}\`;

let sanitizedString \= DOMPurify.sanitize(redirect).replace(/\\\\|\\/\\/|\\./g, '');

sanitizedString \= \`/${sanitizedString}\`;

return sanitizedString;

},

async register () {

**0 comments on commit 5bcfdbe**

Please sign in to comment.

CVE-2022-23077: fix(login): catch double-slash exploit · HabitRPG/habitica@5bcfdbe

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.

CVE-2022-2174

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

frappe.provide('frappe.patient\_history'); frappe.pages\['patient\_history'\].on\_page\_load \= function(wrapper) { let me \= this; let page \= frappe.ui.make\_app\_page({ parent: wrapper, title: 'Patient History', single\_column: true }); frappe.breadcrumbs.add('Healthcare'); let pid \= ''; page.main.html(frappe.render\_template('patient\_history', {})); page.main.find('.header-separator').hide(); let patient \= frappe.ui.form.make\_control({ parent: page.main.find('.patient'), df: { fieldtype: 'Link', options: 'Patient', fieldname: 'patient', placeholder: \_\_('Select Patient'), only\_select: true, change: function() { let patient\_id \= patient.get\_value(); if (pid != patient\_id && patient\_id) { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); setup\_filters(patient\_id, me); get\_documents(patient\_id, me); show\_patient\_info(patient\_id, me); show\_patient\_vital\_charts(patient\_id, me, 'bp', 'mmHg', 'Blood Pressure'); } pid \= patient\_id; } }, }); patient.refresh(); if (frappe.route\_options) { patient.set\_value(frappe.route\_options.patient); } this.page.main.on('click', '.btn-show-chart', function() { let btn\_show\_id \= $(this).attr('data-show-chart-id'), pts \= $(this).attr('data-pts'); let title \= $(this).attr('data-title'); show\_patient\_vital\_charts(patient.get\_value(), me, btn\_show\_id, pts, title); }); this.page.main.on('click', '.btn-more', function() { let doctype \= $(this).attr('data-doctype'), docname \= $(this).attr('data-docname'); if (me.page.main.find('.'+docname).parent().find('.document-html').attr('data-fetched') \== '1') { me.page.main.find('.'+docname).hide(); me.page.main.find('.'+docname).parent().find('.document-html').show(); } else { if (doctype && docname) { let exclude \= \['patient', 'patient\_name', 'patient\_sex', 'encounter\_date'\]; frappe.call({ method: 'erpnext.healthcare.utils.render\_doc\_as\_html', args:{ doctype: doctype, docname: docname, exclude\_fields: exclude }, freeze: true, callback: function(r) { if (r.message) { me.page.main.find('.' + docname).hide(); me.page.main.find('.' + docname).parent().find('.document-html').html( \`${r.message.html} <div align='center'> <a class='btn octicon octicon-chevron-up btn-default btn-xs btn-less' data-doctype='${doctype}' data-docname='${docname}'> </a> </div> \`); me.page.main.find('.' + docname).parent().find('.document-html').show(); me.page.main.find('.' + docname).parent().find('.document-html').attr('data-fetched', '1'); } } }); } } }); this.page.main.on('click', '.btn-less', function() { let docname \= $(this).attr('data-docname'); me.page.main.find('.' + docname).parent().find('.document-id').show(); me.page.main.find('.' + docname).parent().find('.document-html').hide(); }); me.start \= 0; me.page.main.on('click', '.btn-get-records', function() { get\_documents(patient.get\_value(), me); }); }; let setup\_filters \= function(patient, me) { $('.doctype-filter').empty(); frappe.xcall( 'erpnext.healthcare.page.patient\_history.patient\_history.get\_patient\_history\_doctypes' ).then(document\_types \=> { let doctype\_filter \= frappe.ui.form.make\_control({ parent: $('.doctype-filter'), df: { fieldtype: 'MultiSelectList', fieldname: 'document\_type', placeholder: \_\_('Select Document Type'), input\_class: 'input-xs', change: () \=> { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); get\_documents(patient, me, doctype\_filter.get\_value(), date\_range\_field.get\_value()); }, get\_data: () \=> { return document\_types.map(document\_type \=> { return { description: document\_type, value: document\_type }; }); }, } }); doctype\_filter.refresh(); $('.date-filter').empty(); let date\_range\_field \= frappe.ui.form.make\_control({ df: { fieldtype: 'DateRange', fieldname: 'date\_range', placeholder: \_\_('Date Range'), input\_class: 'input-xs', change: () \=> { let selected\_date\_range \= date\_range\_field.get\_value(); if (selected\_date\_range && selected\_date\_range.length \=== 2) { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); get\_documents(patient, me, doctype\_filter.get\_value(), selected\_date\_range); } } }, parent: $('.date-filter') }); date\_range\_field.refresh(); }); }; let get\_documents \= function(patient, me, document\_types\="", selected\_date\_range\="") { let filters \= { name: patient, start: me.start, page\_length: 20 }; if (document\_types) filters\['document\_types'\] \= document\_types; if (selected\_date\_range) filters\['date\_range'\] \= selected\_date\_range; frappe.call({ 'method': 'erpnext.healthcare.page.patient\_history.patient\_history.get\_feed', args: filters, callback: function(r) { let data \= r.message; if (data.length) { add\_to\_records(me, data); } else { me.page.main.find('.patient\_documents\_list').append(\` <div class='text-muted' align='center'> <br><br>${\_\_('No more records..')}<br><br> </div>\`); me.page.main.find('.btn-get-records').hide(); } } }); }; let add\_to\_records \= function(me, data) { let details \= "<ul class='nav nav-pills nav-stacked'>"; let i; for (i\=0; i<data.length; i++) { if (data\[i\].reference\_doctype) { let label \= ''; if (data\[i\].subject) { label += "<br/>" + data\[i\].subject; } data\[i\] \= add\_date\_separator(data\[i\]); if (frappe.user\_info(data\[i\].owner).image) { data\[i\].imgsrc \= frappe.utils.get\_file\_link(frappe.user\_info(data\[i\].owner).image); } else { data\[i\].imgsrc \= false; } let time\_line\_heading \= data\[i\].practitioner ? \`${data\[i\].practitioner} \` : \`\`; time\_line\_heading += data\[i\].reference\_doctype + " - " + \`<a onclick="frappe.set\_route('Form', '${data\[i\].reference\_doctype}', '${data\[i\].reference\_name}');"> ${data\[i\].reference\_name} </a>\`; details += \` <li data-toggle='pill' class='patient\_doc\_menu' data-doctype='${data\[i\].reference\_doctype}' data-docname='${data\[i\].reference\_name}'> <div class='col-sm-12 d-flex border-bottom py-3'>\`; if (data\[i\].imgsrc) { details += \` <span class='mr-3'> <img class='avtar' src='${data\[i\].imgsrc}' width='32' height='32'></img> </span>\`; } else { details += \`<span class='mr-3 avatar avatar-small' style='width:32px; height:32px;'> <div align='center' class='standard-image' style='background-color: #fafbfc;'> ${data\[i\].practitioner ? data\[i\].practitioner.charAt(0) : 'U'} </div> </span>\`; } details += \`<div class='d-flex flex-column width-full'> <div> \`+time\_line\_heading+\` <span> ${data\[i\].date\_sep} </span> </div> <div class='Box p-3 mt-2'> <span class='${data\[i\].reference\_name} document-id'>${label} <div align='center'> <a class='btn octicon octicon-chevron-down btn-default btn-xs btn-more' data-doctype='${data\[i\].reference\_doctype}' data-docname='${data\[i\].reference\_name}'> </a> </div> </span> <span class='document-html' hidden data-fetched="0"> </span> </div> </div> </div> </li>\`; } } details += '</ul>'; me.page.main.find('.patient\_documents\_list').append(details); me.start += data.length; if (data.length \=== 20) { me.page.main.find(".btn-get-records").show(); } else { me.page.main.find(".btn-get-records").hide(); me.page.main.find(".patient\_documents\_list").append(\` <div class='text-muted' align='center'> <br><br>${\_\_('No more records..')}<br><br> </div>\`); } }; let add\_date\_separator \= function(data) { let date \= frappe.datetime.str\_to\_obj(data.communication\_date); let pdate \= ''; let diff \= frappe.datetime.get\_day\_diff(frappe.datetime.get\_today(), frappe.datetime.obj\_to\_str(date)); if (diff < 1) { pdate \= \_\_('Today'); } else if (diff < 2) { pdate \= \_\_('Yesterday'); } else { pdate \= \_\_('on ') + frappe.datetime.global\_date\_format(date); } data.date\_sep \= pdate; return data; }; let show\_patient\_info \= function(patient, me) { frappe.call({ 'method': 'erpnext.healthcare.doctype.patient.patient.get\_patient\_detail', args: { patient: patient }, callback: function(r) { let data \= r.message; let details \= ''; if (data.image) { details += \`<div><img class='thumbnail' width=75% src='${data.image}'></div>\`; } details += \`<b> ${data.patient\_name} </b><br> ${data.sex}\`; if (data.email) details += \`<br> ${data.email}\`; if (data.mobile) details += \`<br> ${data.mobile}\`; if (data.occupation) details += \`<br><br><b> ${\_\_('Occupation')} : </b> ${data.occupation}\`; if (data.blood\_group) details += \`<br><b> ${\_\_('Blood Group')} : </b> ${data.blood\_group}\`; if (data.allergies) details += \`<br><br><b> ${\_\_('Allerigies')} : </b> ${data.allergies.replace("\\n", ", ")}\`; if (data.medication) details += \`<br><b> ${\_\_('Medication')} : </b> ${data.medication.replace("\\n", ", ")}\`; if (data.alcohol\_current\_use) details += \`<br><br><b> ${\_\_('Alcohol use')} : </b> ${data.alcohol\_current\_use}\`; if (data.alcohol\_past\_use) details += \`<br><b> ${\_\_('Alcohol past use')} : </b> ${data.alcohol\_past\_use}\`; if (data.tobacco\_current\_use) details += \`<br><b> ${\_\_('Tobacco use')} : </b> ${data.tobacco\_current\_use}\`; if (data.tobacco\_past\_use) details += \`<br><b> ${\_\_('Tobacco past use')} : </b> ${data.tobacco\_past\_use}\`; if (data.medical\_history) details += \`<br><br><b> ${\_\_('Medical history')} : </b> ${data.medical\_history.replace("\\n", ", ")}\`; if (data.surgical\_history) details += \`<br><b> ${\_\_('Surgical history')} : </b> ${data.surgical\_history.replace("\\n", ", ")}\`; if (data.surrounding\_factors) details += \`<br><br><b> ${\_\_('Occupational hazards')} : </b> ${data.surrounding\_factors.replace("\\n", ", ")}\`; if (data.other\_risk\_factors) details += \`<br><b> ${\_\_('Other risk factors')} : </b> ${data.other\_risk\_factors.replace("\\n", ", ")}\`; if (data.patient\_details) details += \`<br><br><b> ${\_\_('More info')} : </b> ${data.patient\_details.replace("\\n", ", ")}\`; if (details) { details \= \`<div style='padding-left:10px; font-size:13px;' align='left'>\` + details + \`</div>\`; } me.page.main.find('.patient\_details').html(details); } }); }; let show\_patient\_vital\_charts \= function(patient, me, btn\_show\_id, pts, title) { frappe.call({ method: 'erpnext.healthcare.utils.get\_patient\_vitals', args:{ patient: patient }, callback: function(r) { if (r.message) { let show\_chart\_btns\_html \= \` <div style='padding-top:10px;'> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='bp' data-pts='mmHg' data-title='Blood Pressure'> ${\_\_('Blood Pressure')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='pulse\_rate' data-pts='per Minutes' data-title='Respiratory/Pulse Rate'> ${\_\_('Respiratory/Pulse Rate')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='temperature' data-pts='°C or °F' data-title='Temperature'> ${\_\_('Temperature')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='bmi' data-pts='' data-title='BMI'> ${\_\_('BMI')} </a> </div>\`; me.page.main.find('.show\_chart\_btns').html(show\_chart\_btns\_html); let data \= r.message; let labels \= \[\], datasets \= \[\]; let bp\_systolic \= \[\], bp\_diastolic \= \[\], temperature \= \[\]; let pulse \= \[\], respiratory\_rate \= \[\], bmi \= \[\], height \= \[\], weight \= \[\]; for (let i\=0; i<data.length; i++) { labels.push(data\[i\].signs\_date+'||'+data\[i\].signs\_time); if (btn\_show\_id \=== 'bp') { bp\_systolic.push(data\[i\].bp\_systolic); bp\_diastolic.push(data\[i\].bp\_diastolic); } if (btn\_show\_id \=== 'temperature') { temperature.push(data\[i\].temperature); } if (btn\_show\_id \=== 'pulse\_rate') { pulse.push(data\[i\].pulse); respiratory\_rate.push(data\[i\].respiratory\_rate); } if (btn\_show\_id \=== 'bmi') { bmi.push(data\[i\].bmi); height.push(data\[i\].height); weight.push(data\[i\].weight); } } if (btn\_show\_id \=== 'temperature') { datasets.push({name: 'Temperature', values: temperature, chartType: 'line'}); } if (btn\_show\_id \=== 'bmi') { datasets.push({name: 'BMI', values: bmi, chartType: 'line'}); datasets.push({name: 'Height', values: height, chartType: 'line'}); datasets.push({name: 'Weight', values: weight, chartType: 'line'}); } if (btn\_show\_id \=== 'bp') { datasets.push({name: 'BP Systolic', values: bp\_systolic, chartType: 'line'}); datasets.push({name: 'BP Diastolic', values: bp\_diastolic, chartType: 'line'}); } if (btn\_show\_id \=== 'pulse\_rate') { datasets.push({name: 'Heart Rate / Pulse', values: pulse, chartType: 'line'}); datasets.push({name: 'Respiratory Rate', values: respiratory\_rate, chartType: 'line'}); } new frappe.Chart('.patient\_vital\_charts', { data: { labels: labels, datasets: datasets }, title: title, type: 'axis-mixed', height: 200, colors: \['purple', '#ffa3ef', 'light-blue'\], tooltipOptions: { formatTooltipX: d \=> (d + '').toUpperCase(), formatTooltipY: d \=> d + ' ' + pts, } }); me.page.main.find('.header-separator').show(); } else { me.page.main.find('.patient\_vital\_charts').html(''); me.page.main.find('.show\_chart\_btns').html(''); me.page.main.find('.header-separator').hide(); } } }); };

CVE-2022-23056: erpnext/patient_history.js at 21a3ea462aaf319e466c067c2ec406eb9abe6ed3 · frappe/erpnext

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

@@ -2,17 +2,22 @@ \# MIT License. See license.txt  
from \_\_future\_\_ import unicode\_literals  
from werkzeug.wrappers import Response from six import text\_type, string\_types, StringIO  
import frappe from frappe import \_ import frappe.utils import frappe.sessions import frappe.desk.form.run\_method from frappe.utils.response import build\_response from frappe.api import validate\_auth  
from frappe.utils import cint from frappe.api import validate\_auth from frappe import \_, is\_whitelisted from frappe.utils.response import build\_response from frappe.utils.csvutils import build\_csv\_response from frappe.core.doctype.server\_script.server\_script\_utils import run\_server\_script\_api from werkzeug.wrappers import Response from six import string\_types  
  
ALLOWED\_MIMETYPES \= ('image/png', 'image/jpeg', 'application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', @@ -64,8 +69,9 @@ def execute\_cmd(cmd, from\_async=False): if from\_async: method \= method.queue  
is\_whitelisted(method) is\_valid\_http\_method(method) if method != run\_doc\_method: is\_whitelisted(method) is\_valid\_http\_method(method)  
return frappe.call(method, \*\*frappe.form\_dict)  
@@ -75,31 +81,10 @@ def is\_valid\_http\_method(method): if http\_method not in frappe.allowed\_http\_methods\_for\_whitelisted\_func\[method\]: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
def is\_whitelisted(method): \# check if whitelisted if frappe.session\['user'\] \== 'Guest': if (method not in frappe.guest\_methods): frappe.throw(\_("Not permitted"), frappe.PermissionError)  
if method not in frappe.xss\_safe\_methods: \# strictly sanitize form\_dict \# escapes html characters like <> except for predefined tags like a, b, ul etc. for key, value in frappe.form\_dict.items(): if isinstance(value, string\_types): frappe.form\_dict\[key\] \= frappe.utils.sanitize\_html(value)  
else: if not method in frappe.whitelisted: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
@frappe.whitelist(allow\_guest\=True) def version(): return frappe.\_\_version\_\_  
@frappe.whitelist() def runserverobj(method, docs\=None, dt\=None, dn\=None, arg\=None, args\=None): frappe.desk.form.run\_method.runserverobj(method, docs\=docs, dt\=dt, dn\=dn, arg\=arg, args\=args)  
@frappe.whitelist(allow\_guest\=True) def logout(): frappe.local.login\_manager.logout() @@ -112,15 +97,6 @@ def web\_logout(): frappe.respond\_as\_web\_page(\_("Logged Out"), \_("You have been successfully logged out"), indicator\_color\='green')  
@frappe.whitelist(allow\_guest\=True) def run\_custom\_method(doctype, name, custom\_method): """cmd=run\_custom\_method&doctype={doctype}&name={name}&custom\_method={custom\_method}""" doc \= frappe.get\_doc(doctype, name) if getattr(doc, custom\_method, frappe.\_dict()).is\_whitelisted: frappe.call(getattr(doc, custom\_method), \*\*frappe.local.form\_dict) else: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
@frappe.whitelist() def uploadfile(): ret \= None @@ -222,6 +198,65 @@ def get\_attr(cmd): frappe.log("method:" + cmd) return method  
@frappe.whitelist(allow\_guest \= True) @frappe.whitelist(allow\_guest\=True) def ping(): return "pong"  
@frappe.whitelist() def run\_doc\_method(method, docs\=None, dt\=None, dn\=None, arg\=None, args\=None): """run controller method - old style""" import json, inspect  
if not args: args \= arg or ""  
if dt: \# not called from a doctype (from a page) if not dn: dn \= dt \# single doc \= frappe.get\_doc(dt, dn)  
else: doc \= frappe.get\_doc(json.loads(docs)) doc.\_original\_modified \= doc.modified doc.check\_if\_latest()  
if not doc.has\_permission("read"): frappe.msgprint(\_("Not permitted"), raise\_exception \= True)  
if not doc: return  
try: args \= json.loads(args) except ValueError: args \= args  
method\_obj \= getattr(doc, method) is\_whitelisted(getattr(method\_obj, '\_\_func\_\_', method\_obj))  
try: fnargs \= inspect.getargspec(method\_obj)\[0\] except ValueError: fnargs \= inspect.getfullargspec(method\_obj).args  
if not fnargs or (len(fnargs)\==1 and fnargs\[0\]\=="self"): r \= doc.run\_method(method)  
elif "args" in fnargs or not isinstance(args, dict): r \= doc.run\_method(method, args)  
else: r \= doc.run\_method(method, \*\*args)  
frappe.response.docs.append(doc)  
if not r: return  
\# build output as csv if cint(frappe.form\_dict.get('as\_csv')): build\_csv\_response(r, doc.doctype.replace(' ', '')) return  
frappe.response\['message'\] \= r  
\# for backwards compatibility runserverobj \= run\_doc\_method

Tag

#xss