Fixes #2036: using htmlspecialchars in output views

git-svn-id: http://code.elgg.org/elgg/trunk@7368 36083f99-b078-4883-b0ff-0f9b5a30f544
Elgg · Nov 20, 2010 · 9f41e8b · 9f41e8b
1 parent a906ef7
commit 9f41e8b
Show file tree

Hide file tree

Showing 9 changed files with 11 additions and 11 deletions.
diff --git a/views/default/output/calendar.php b/views/default/output/calendar.php
@@ -13,5 +13,5 @@
 if (is_int($vars['value'])) {
 	echo date("F j, Y", $vars['value']);
 } else {
-	echo htmlentities($vars['value'], ENT_QUOTES, 'UTF-8');
+	echo htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8');
 }
diff --git a/views/default/output/confirmlink.php b/views/default/output/confirmlink.php
@@ -26,4 +26,4 @@
 	$class = '';
 }
 ?>
-<a href="<?php echo $link; ?>" <?php echo $class; ?> onclick="return confirm('<?php echo addslashes($confirm); ?>');"><?php echo htmlentities($vars['text'], ENT_QUOTES, 'UTF-8'); ?></a>
+<a href="<?php echo $link; ?>" <?php echo $class; ?> onclick="return confirm('<?php echo addslashes($confirm); ?>');"><?php echo htmlspecialchars($vars['text'], ENT_QUOTES, 'UTF-8'); ?></a>
diff --git a/views/default/output/email.php b/views/default/output/email.php
@@ -11,5 +11,5 @@
  */
 
 if (!empty($vars['value'])) {
-	echo "<a href=\"mailto:" . $vars['value'] . "\">". htmlentities($vars['value'], ENT_QUOTES, 'UTF-8') ."</a>";
+	echo "<a href=\"mailto:" . $vars['value'] . "\">". htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8') ."</a>";
 }
diff --git a/views/default/output/friendlytime.php b/views/default/output/friendlytime.php
@@ -7,6 +7,6 @@
  */
 
 $friendly_time = elgg_get_friendly_time($vars['time']);
-$timestamp = htmlentities(date(elgg_echo('friendlytime:date_format'), $vars['time']));
+$timestamp = htmlspecialchars(date(elgg_echo('friendlytime:date_format'), $vars['time']));
 
 echo "<acronym title=\"$timestamp\">$friendly_time</acronym>";
diff --git a/views/default/output/pulldown.php b/views/default/output/pulldown.php
@@ -10,4 +10,4 @@
  *
  */
 
-echo htmlentities($vars['value'], ENT_QUOTES, 'UTF-8'); //$vars['value'];
+echo htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8'); //$vars['value'];
diff --git a/views/default/output/tagcloud.php b/views/default/output/tagcloud.php
@@ -58,7 +58,7 @@
 			$size = 100;
 		}
 		$url = elgg_get_site_url()."pg/search/?q=". urlencode($tag->tag) . "&search_type=tags$type$subtype";
-		$list .= "<a href=\"$url\" style=\"font-size: $size%\" title=\"".addslashes($tag->tag)." ($tag->total)\" style=\"text-decoration:none;\">" . htmlentities($tag->tag, ENT_QUOTES, 'UTF-8') . "</a>";
+		$list .= "<a href=\"$url\" style=\"font-size: $size%\" title=\"".addslashes($tag->tag)." ($tag->total)\" style=\"text-decoration:none;\">" . htmlspecialchars($tag->tag, ENT_QUOTES, 'UTF-8') . "</a>";
 	}
 
 	$cloud .= "$list</div>";

diff --git a/views/default/output/tags.php b/views/default/output/tags.php
@@ -43,7 +43,7 @@
 			$type = "";
 		}
 		if (is_string($tag)) {
-			$tagstr .= "<a rel=\"tag\" href=\"".elgg_get_site_url()."pg/search/?q=".urlencode($tag) . "&search_type=tags{$type}{$subtype}{$object}\">" . htmlentities($tag, ENT_QUOTES, 'UTF-8') . "</a>";
+			$tagstr .= "<a rel=\"tag\" href=\"".elgg_get_site_url()."pg/search/?q=".urlencode($tag) . "&search_type=tags{$type}{$subtype}{$object}\">" . htmlspecialchars($tag, ENT_QUOTES, 'UTF-8') . "</a>";
 		}
 	}
 	echo $tagstr;

diff --git a/views/default/output/text.php b/views/default/output/text.php
@@ -10,4 +10,4 @@
  *
  */
 
-echo htmlentities($vars['value'], ENT_QUOTES, 'UTF-8'); // $vars['value'];
+echo htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8'); // $vars['value'];
diff --git a/views/default/output/url.php b/views/default/output/url.php
@@ -7,7 +7,7 @@
  * @subpackage Core
  *
  * @uses string $vars['text']        The string between the <a></a> tags.
- * @uses bool   $vars['encode_text'] Run $vars['text'] through htmlentities()?
+ * @uses bool   $vars['encode_text'] Run $vars['text'] through htmlspecialchars()?
  * @uses bool   $vars['is_action']   Is this a link to an action?
  *
  */
@@ -21,14 +21,14 @@
 if (!empty($url)) {
 	if (isset($vars['text'])) {
 		if (isset($vars['encode_text']) && $vars['encode_text']) {
-			$text = htmlentities($vars['text'], ENT_QUOTES, 'UTF-8');
+			$text = htmlspecialchars($vars['text'], ENT_QUOTES, 'UTF-8');
 		} else {
 			$text = $vars['text'];
 		}
 
 		unset($vars['text']);
 	} else {
-		$text = htmlentities($url, ENT_QUOTES, 'UTF-8');
+		$text = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
 	}
 
 	unset($vars['encode_text']);