Audit fixes: security, dead code removal, API consolidation, JS dedup
Security: - Fix IDOR in delete/update comment (add ticket visibility check) - XSS defense-in-depth in DashboardView active filters - Replace innerHTML with DOM construction in toast.js - Remove redundant real_escape_string in check_duplicates - Add rate limiting to get_template, download_attachment, audit_log, saved_filters, user_preferences endpoints Bug fixes: - Session timeout now reads from config instead of hardcoded 18000 - TicketController uses $GLOBALS['config'] instead of duplicate .env parsing - Add DISCORD_WEBHOOK_URL to centralized config - Cleanup script uses hashmap for O(1) ticket ID lookups Dead code removal (~100 lines): - Remove dead getTicketComments() from TicketModel (wrong bind_param type) - Remove dead getCategories()/getTypes() from DashboardController - Remove ~80 lines dead Discord webhook code from update_ticket API Consolidation: - Create api/bootstrap.php for shared API setup (auth, CSRF, rate limit) - Convert 6 API endpoints to use bootstrap - Extract escapeHtml/getTicketIdFromUrl into shared utils.js - Batch save for user preferences (1 request instead of 7) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,18 +1,3 @@
|
||||
// XSS prevention helper
|
||||
function escapeHtml(text) {
|
||||
const div = document.createElement('div');
|
||||
div.textContent = text;
|
||||
return div.innerHTML;
|
||||
}
|
||||
|
||||
// Get ticket ID from URL (handles both /ticket/123 and ?id=123 formats)
|
||||
function getTicketIdFromUrl() {
|
||||
const pathMatch = window.location.pathname.match(/\/ticket\/(\d+)/);
|
||||
if (pathMatch) return pathMatch[1];
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
return params.get('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* Toggle sidebar visibility on desktop
|
||||
*/
|
||||
|
||||
@@ -94,22 +94,20 @@ async function saveSettings() {
|
||||
};
|
||||
|
||||
try {
|
||||
// Save each preference
|
||||
for (const [key, value] of Object.entries(prefs)) {
|
||||
const response = await fetch('/api/user_preferences.php', {
|
||||
method: 'POST',
|
||||
credentials: 'same-origin',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.CSRF_TOKEN
|
||||
},
|
||||
body: JSON.stringify({ key, value })
|
||||
});
|
||||
// Batch save all preferences in one request
|
||||
const response = await fetch('/api/user_preferences.php', {
|
||||
method: 'POST',
|
||||
credentials: 'same-origin',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.CSRF_TOKEN
|
||||
},
|
||||
body: JSON.stringify({ preferences: prefs })
|
||||
});
|
||||
|
||||
const result = await response.json();
|
||||
if (!result.success) {
|
||||
throw new Error(`Failed to save ${key}`);
|
||||
}
|
||||
const result = await response.json();
|
||||
if (!result.success) {
|
||||
throw new Error('Failed to save preferences');
|
||||
}
|
||||
|
||||
if (typeof toast !== 'undefined') {
|
||||
|
||||
@@ -1,22 +1,3 @@
|
||||
// XSS prevention helper
|
||||
function escapeHtml(text) {
|
||||
const div = document.createElement('div');
|
||||
div.textContent = text;
|
||||
return div.innerHTML;
|
||||
}
|
||||
|
||||
// Get ticket ID from URL (handles both /ticket/123 and ?id=123 formats)
|
||||
function getTicketIdFromUrl() {
|
||||
// Try new URL format first: /ticket/123456789
|
||||
const pathMatch = window.location.pathname.match(/\/ticket\/(\d+)/);
|
||||
if (pathMatch) {
|
||||
return pathMatch[1];
|
||||
}
|
||||
// Fall back to query param: ?id=123456789
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
return params.get('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* Toggle visibility groups field based on visibility selection
|
||||
*/
|
||||
|
||||
@@ -30,11 +30,22 @@ function displayToast(message, type, duration) {
|
||||
warning: '⚠'
|
||||
};
|
||||
|
||||
toast.innerHTML = `
|
||||
<span class="toast-icon">[${icons[type] || 'ℹ'}]</span>
|
||||
<span class="toast-message">${message}</span>
|
||||
<span class="toast-close" style="margin-left: auto; cursor: pointer; opacity: 0.7; padding-left: 1rem;">[×]</span>
|
||||
`;
|
||||
const iconSpan = document.createElement('span');
|
||||
iconSpan.className = 'toast-icon';
|
||||
iconSpan.textContent = `[${icons[type] || 'ℹ'}]`;
|
||||
|
||||
const msgSpan = document.createElement('span');
|
||||
msgSpan.className = 'toast-message';
|
||||
msgSpan.textContent = message;
|
||||
|
||||
const closeSpan = document.createElement('span');
|
||||
closeSpan.className = 'toast-close';
|
||||
closeSpan.style.cssText = 'margin-left: auto; cursor: pointer; opacity: 0.7; padding-left: 1rem;';
|
||||
closeSpan.textContent = '[×]';
|
||||
|
||||
toast.appendChild(iconSpan);
|
||||
toast.appendChild(msgSpan);
|
||||
toast.appendChild(closeSpan);
|
||||
|
||||
// Add to document
|
||||
document.body.appendChild(toast);
|
||||
|
||||
14
assets/js/utils.js
Normal file
14
assets/js/utils.js
Normal file
@@ -0,0 +1,14 @@
|
||||
// XSS prevention helper
|
||||
function escapeHtml(text) {
|
||||
const div = document.createElement('div');
|
||||
div.textContent = text;
|
||||
return div.innerHTML;
|
||||
}
|
||||
|
||||
// Get ticket ID from URL (handles both /ticket/123 and ?id=123 formats)
|
||||
function getTicketIdFromUrl() {
|
||||
const pathMatch = window.location.pathname.match(/\/ticket\/(\d+)/);
|
||||
if (pathMatch) return pathMatch[1];
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
return params.get('id');
|
||||
}
|
||||
Reference in New Issue
Block a user