- 28 Apr, 2017 2 commits
-
-
Carsten Rose authored
-
Rafael Ostertag authored
-
- 27 Apr, 2017 4 commits
-
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
- 26 Apr, 2017 14 commits
-
-
Rafael Ostertag authored
-
Carsten Rose authored
-
Carsten Rose authored
-
Carsten Rose authored
# Conflicts: # mockup/inputmodeswitcher.html
-
Rafael Ostertag authored
-
Rafael Ostertag authored
# Conflicts: # mockup/inputmodeswitcher.html
-
Carsten Rose authored
-
Carsten Rose authored
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
Rafael Ostertag authored
-
Carsten Rose authored
-
Carsten Rose authored
Renamed two bat files - makes trouble if they are send by email - will be blocked, even if they are inside of a zip.
-
- 24 Apr, 2017 10 commits
-
-
Carsten Rose authored
-
Carsten Rose authored
Implemented defaultEscapeType. configurable via config.qfq.ini (global) and per Form. Implemented max GET parameter lenght. Default: 50. BTW: in phpunit test there have been a parameter 'file' which exceeds the limit of 32. Config.qfq: Skip empty variable names - happens in phpunit tests. Read new `systemEscapeTypeDefault`. Constants.php: renamed TOKEN_LDAP_ESCAPE_* to TOKEN_ESCAPE_LDAP_*. Add TOKEN_ESCAPE_MYSQL, TOKEN_ESCAPE_NONE Database.php: Set charset to real_escape_string() functions properly. Proxy for mysqli::real_escape_string() Evaluate.php: Respect global escapeTypeDefault. Implement formEditor.sql: add column `escapeTypeDefault`. Add FormElement 'escapeTypeDefault'.
-
Carsten Rose authored
-
Carsten Rose authored
-
Carsten Rose authored
Manual.rst: small abstract about implemented security enhancements in QFQ. Sanatize.php: New function urlDecodeArr(). Decode all _GET vars. AbstractBuildForm.php, BuildFormBootstrap.php: form head now contains the honeypot vars.
-
bbaer authored
-
Carsten Rose authored
Fix from BB seems to help in 90%: window.onblur(). QuickFormQuery.php: Add 'windows.onblur'
-
Carsten Rose authored
Config.php: Defaults are now set in Config.php, not in Store.php anymore. New function setDefaults(), checkForAttack().
-
bbaer authored
-
bbaer authored
-
- 23 Apr, 2017 9 commits
-
-
Carsten Rose authored
Play: ALTER TABLE `FormElement` ADD `encode` ENUM( 'none', 'specialchar' ) NOT NULL DEFAULT 'specialchar' AFTER `subrecordOption` ; Play: formEditor.sql Attention: FEs with text=editor needs actions - the default of 'specialchar' prohibits saving of HTML tags. FillStoreForm.php: Submitted values will be specialchars() before copying to STORE_FORM. AbstractBuildForm.php: Counterpart of FillStoreForm.php - will htmlspecialchars_decode() values read from database. Replace 'checkType' and 'checkPattern' with CONSTANTS. formEditor.sql: Added new column in FormElement. Add new FormElement 'encode' in FormElement-Editor. Add column 'encode' to all FormElement records.
-
Carsten Rose authored
Store.php: fillStoreClient now htmlentities() the $_SERVER array.
-
Carsten Rose authored
Manual.rst: Cleanup doc for wkhtmltopdf. Remove all references to excel export. Add best practice for 'export area' (IP based restriction).
-
Carsten Rose authored
-
Carsten Rose authored
-
Carsten Rose authored
Handling of filenames in Zip's optimized. Spoken filename (no cryptic tempnames anymore). Correct filename extension, based on the mimetype. Manual.rst: updated doc for columns _pPdf,_zZip, _fFile. Remove doc for '_dDownload'. Download.php: new function targetFilenameExtension(). Replace cryptic temporary filenames against file-1, ... Link.php: reorder param array, to make TOKEN_DOWNLOAD position independet Report.php: Implemented _pPdf,_zZip, _fFile.
-
Carsten Rose authored
QucikFormQuery.php: Update default text.
-
Carsten Rose authored
-
Carsten Rose authored
Link.php: If there is no output filename defined, the default is now computed in Download.php, not in Link.php as before. Download.php: Extract filename extension from mimetype, compare it with output filename, if it does not match, append the computed extension. This forces the filemanager to open the correct application after download.
-
- 22 Apr, 2017 1 commit
-
-
Carsten Rose authored
-