From efd26451ae5fb42d293f81f335c9959db4d3dca1 Mon Sep 17 00:00:00 2001
From: ja <ja@verag.ag>
Date: Wed, 22 Sep 2021 11:22:06 +0200
Subject: [PATCH] Weitere Absicherung gegen ScriptExploits

---
 Customers/CustomsAviso.aspx.vb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/Customers/CustomsAviso.aspx.vb b/Customers/CustomsAviso.aspx.vb
index abe9949..735c738 100644
--- a/Customers/CustomsAviso.aspx.vb
+++ b/Customers/CustomsAviso.aspx.vb
@@ -187,7 +187,7 @@ Partial Class Kundenbereich_Default
         If rbt_Alle.Selected = True Or rbt_Alle_M.Selected = True Then
             pickdate1.ValidateRequestMode = UI.ValidateRequestMode.Enabled
             pickdate2.ValidateRequestMode = UI.ValidateRequestMode.Enabled
-            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {0, 1, 2, 3, 4, 5}, datevon, datebis, Absender, Empfaenger, LKWNR, KDNAFNR)
+            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {0, 1, 2, 3, 4, 5}, datevon, datebis, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
             If pickdate1.Text = Nothing Or pickdate2.Text = Nothing Then
                 Dim erster = New Date(Now().Year, Now().Month, 1)
                 Dim ersterdat = erster.Day.ToString + "." + Now().Month.ToString + "." + Now().Year.ToString
@@ -198,14 +198,14 @@ Partial Class Kundenbereich_Default
                 pickdate2.Text = Date.Parse(Now().Day.ToString + "." + Now().Month.ToString + "." + Now().Year.ToString).ToString
             Else
                 Try
-                    datevon = Date.Parse(pickdate1.Text)
-                    datebis = Date.Parse(pickdate2.Text)
+                    datevon = Date.Parse(Server.HtmlEncode(pickdate1.Text))
+                    datebis = Date.Parse(Server.HtmlEncode(pickdate2.Text))
                 Catch ex As Exception
                     MsgBox(ex.StackTrace, MsgBoxStyle.Exclamation)
                 End Try
             End If
         ElseIf rbt_Erf.Selected = True Or rbt_Erf_M.Selected = True Then
-            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {0}, Nothing, Nothing, Absender, Empfaenger, LKWNR, KDNAFNR)
+            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {0}, Nothing, Nothing, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
         ElseIf rbt_Freig.Selected = True Or rbt_Freig_M.Selected = True Then
             pickdate1.ValidateRequestMode = UI.ValidateRequestMode.Enabled
             pickdate2.ValidateRequestMode = UI.ValidateRequestMode.Enabled
@@ -219,21 +219,21 @@ Partial Class Kundenbereich_Default
                 pickdate2.Text = Date.Parse(Now().Day.ToString + "." + Now().Month.ToString + "." + Now().Year.ToString).ToString
             Else
                 Try
-                    datevon = Date.Parse(pickdate1.Text)
+                    datevon = Date.Parse(Server.HtmlEncode(pickdate1.Text))
                     'MsgBox(pickdate1.Text)
-                    datebis = Date.Parse(pickdate2.Text)
+                    datebis = Date.Parse(Server.HtmlEncode(pickdate2.Text))
                     ' MsgBox(pickdate2.Text)
-                    dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {1}, datevon, datebis, Absender, Empfaenger, LKWNR, KDNAFNR)
+                    dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {1}, datevon, datebis, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
                 Catch ex As Exception
                     MsgBox(ex.StackTrace, MsgBoxStyle.Exclamation)
                 End Try
             End If
         ElseIf rbt_Ankunft.Selected = True Or rbt_Ankunft_M.Selected = True Then
-            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {3}, Nothing, Nothing, Absender, Empfaenger, LKWNR, KDNAFNR)
+            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {3}, Nothing, Nothing, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
         ElseIf rbt_Vorb.Selected = True Or rbt_Vorb_M.Selected = True Then
-            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {4}, Nothing, Nothing, Absender, Empfaenger, LKWNR, KDNAFNR)
+            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {4}, Nothing, Nothing, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
         ElseIf rbt_Vorg.Selected = True Or rbt_Vorg_M.Selected = True Then
-            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Art, Kdnrtext, {5}, Nothing, Nothing, Absender, Empfaenger, LKWNR, KDNAFNR)
+            dt = VERAG_PROG_ALLGEMEIN.cAviso.GET_KDLIST_WEB(Server.HtmlEncode(Art), Server.HtmlEncode(Kdnrtext), {5}, Nothing, Nothing, Server.HtmlEncode(Absender), Server.HtmlEncode(Empfaenger), Server.HtmlEncode(LKWNR), Server.HtmlEncode(KDNAFNR))
         End If
 
         If dt IsNot Nothing AndAlso Not dt.Rows.Count = 0 Then