Skip to content

Commit

Permalink
Fixed issue #6066: File upload fails if single oder double quotes are…
Browse files Browse the repository at this point in the history 
… used
  • Loading branch information
@c-schmitz
c-schmitz committed Jul 27, 2012
1 parent 85598c9 commit 2fd2167
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 6 deletions.
6 changes: 6 additions & 0 deletions application/helpers/expressions/em_manager_helper.php
View file
Expand Up @@ -4554,6 +4554,12 @@ private function _UpdateValuesInDatabase($updatedValues, $finished=false)
}
// otherwise will already be in yyyy-mm-dd format after ProcessCurrentResponses()
break;
case '|': //File upload
// This block can be removed once we require 5.3 or later
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$val=addslashes($val);
}
break;
case 'N': //NUMERICAL QUESTION TYPE
case 'K': //MULTIPLE NUMERICAL QUESTION
if (trim($val)=='') {
Expand Down
22 changes: 16 additions & 6 deletions scripts/uploader.js
View file
Expand Up @@ -28,11 +28,11 @@ $(document).ready(function(){

previewblock += "</td>";
if ($('#'+fieldname+'_show_title').val() == 1 && $('#'+fieldname+'_show_comment').val() == 1)
previewblock += "<td align='center'><label>"+translt.titleFld+"</label><br /><br /><label>"+translt.commentFld+"</label></td><td align='center'><input type='text' value='"+json[i-1].title+"' id='"+fieldname+"_title_"+i+"' /><br /><br /><input type='text' value='"+json[i-1].comment+"' id='"+fieldname+"_comment_"+i+"' /></td>";
previewblock += "<td align='center'><label>"+translt.titleFld+"</label><br /><br /><label>"+translt.commentFld+"</label></td><td align='center'><input type='text' value='"+escapeHtml(json[i-1].title)+"' id='"+fieldname+"_title_"+i+"' /><br /><br /><input type='text' value='"+escapeHtml(json[i-1].comment)+"' id='"+fieldname+"_comment_"+i+"' /></td>";
else if ($('#'+fieldname+'_show_title').val() == 1)
previewblock += "<td align='center'><label>"+translt.titleFld+"</label></td><td align='center'><input type='text' value='"+json[i-1].title+"' id='"+fieldname+"_title_"+i+"' /></td>";
previewblock += "<td align='center'><label>"+translt.titleFld+"</label></td><td align='center'><input type='text' value='"+escapeHtml(json[i-1].title)+"' id='"+fieldname+"_title_"+i+"' /></td>";
else if ($('#'+fieldname+'_show_comment').val() == 1)
previewblock += "<td align='center'><label>"+translt.commentFld+"</label></td><td align='center'><input type='text' value='"+json[i-1].comment+"' id='"+fieldname+"_comment_"+i+"' /></td>";
previewblock += "<td align='center'><label>"+translt.commentFld+"</label></td><td align='center'><input type='text' value='"+escapeHtml(json[i-1].comment)+"' id='"+fieldname+"_comment_"+i+"' /></td>";

previewblock += "<td align='center' width='20%' ><img style='cursor:pointer' src='"+imageurl+"delete.png' onclick='deletefile(\""+fieldname+"\", "+i+")' /></td></tr></table>"+
"<input type='hidden' id='"+fieldname+"_size_" +i+"' value="+json[i-1].size+" />"+
Expand Down Expand Up @@ -202,17 +202,17 @@ function passJSON(fieldname, show_title, show_comment, pos) {
var i = 1;
while (i <= licount)
{

if ($("#"+fieldname+"_li_"+i).is(':visible'))
{
if (filecount > 0)
json += ",";
json += '{';

if ($("#"+fieldname+"_show_title").val() == 1)
json += '"title":"' +$("#"+fieldname+"_title_" +i).val()+'",';
json += '"title":"' +$("#"+fieldname+"_title_" +i).val().replace(/"/g, '\"')+'",';
if ($("#"+fieldname+"_show_comment").val() == 1)
json += '"comment":"'+$("#"+fieldname+"_comment_"+i).val()+'",';
json += '"comment":"'+$("#"+fieldname+"_comment_"+i).val().replace(/"/g, '\"')+'",';
json += '"size":"' +$("#"+fieldname+"_size_" +i).val()+'",'+
'"name":"' +$("#"+fieldname+"_name_" +i).val()+'",'+
'"filename":"' +$("#"+fieldname+"_filename_" +i).val()+'",'+
Expand Down Expand Up @@ -297,3 +297,13 @@ function deletefile(fieldname, count) {
xmlhttp.open('GET',uploadurl+'/delete/1/fieldname/'+fieldname+'/filename/'+filename+'/name/'+encodeURI(name), true);
xmlhttp.send();
}


function escapeHtml(unsafe) {
return unsafe
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}

0 comments on commit 2fd2167

Please sign in to comment.