Security fixes and schema cleanup

- Fix SQL injection in displayprofile.asp (parameterized query)
- Add HTMLEncode to XSS-vulnerable output in 5 display pages
- Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp
- Update STANDARDS.md with test script reference, secrets management, column naming gotchas
- Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25)
- Add migration SQL to cleanup redundant PC machinetypes (34-46)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-12 07:22:16 -05:00
parent 693789138d
commit e0d89f9957
9 changed files with 258 additions and 57 deletions

View File

@@ -1,6 +1,10 @@
<%@ Language=VBScript %>
<%
Option Explicit
%>
<!--#include file="./includes/sql.asp"-->
<%
Dim appid
Dim appid, rs
appid = Request.Querystring("appid")
' Basic validation - must be numeric and positive
@@ -59,10 +63,10 @@
<div class="col-lg-4">
<div class="card profile-card-2">
<div class="card-img-block">
<img class="img-fluid" src="./images/applications/<%Response.Write(rs("image"))%>" alt="Card image cap">
<img class="img-fluid" src="./images/applications/<%=Server.HTMLEncode(rs("image") & "")%>" alt="Card image cap">
</div>
<div class="card-body pt-5">
<img src="./images/applications/<%Response.Write(rs("image"))%>" alt="profile-image" class="profile">
<img src="./images/applications/<%=Server.HTMLEncode(rs("image") & "")%>" alt="profile-image" class="profile">
<h5 class="card-title"></h5>
<p class="card-text"><a href="" title="Click to Access Support Docs" target="_blank"></a></p>
</div>
@@ -85,7 +89,7 @@
</ul>
<div class="tab-content p-3">
<div class="tab-pane active" id="profile">
<h5 class="mb-3"><%Response.Write(rs("appname"))%></h5>
<h5 class="mb-3"><%=Server.HTMLEncode(rs("appname") & "")%></h5>
<div class="row">
<div class="col-md-3">
<p class="mb-2"><strong>Support Team:</strong></p>