Merge pull request #477 from kokx/hotfix/activity-xss

Removed XSS attack vectors in activity module
GEWIS · Feb 4, 2016 · 69eb30d · 69eb30d
2 parents c25caec + ee9fe3c
commit 69eb30d
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 34 deletions.
diff --git a/module/Activity/view/activity/activity/list.phtml b/module/Activity/view/activity/activity/list.phtml
@@ -12,12 +12,12 @@
                 <div class="col-md-12">
                     <h4>
                         <a href="<?php echo $this->url((isset($admin) ? 'admin_activity' : 'activity'). '/view', ['id' => $activity->getId()])?>">
-                            <?= $activity->getName() ?>
+                            <?= $this->escapeHtml($activity->getName()) ?>
                         </a>
                     </h4>
                 </div>
                 <div class="col-md-8">
-                    <p><?= $activity->getDescription() ?></p>
+                    <p><?= $this->escapeHtml($activity->getDescription()) ?></p>
                 </div>
                 <div class="col-md-4">
                     <dl>
@@ -28,13 +28,13 @@
                         <dd><?= $activity->getEndTime()->format('l d M Y H:i') ?></dd>
 
                         <dt><?= $this->translate('Location') ?></dt>
-                        <dd><?= $activity->getLocation(); ?></dd>
+                        <dd><?= $this->escapeHtml($activity->getLocation()) ?></dd>
 
                         <dt><?= $this->translate('Subscribe before') ?></dt>
                         <dd><?= $activity->getSubscriptionDeadline()->format('l d M Y H:i:s') ?></dd>
 
                         <dt><?= $this->translate('Costs') ?></dt>
-                        <dd><?= $this->translate((string)$activity->getCosts()) ?></dd>
+                        <dd><?= $this->escapeHtml($activity->getCosts()) ?></dd>
                     </dl>
                 </div>
             </div>

diff --git a/module/Activity/view/activity/activity/view.phtml b/module/Activity/view/activity/activity/view.phtml
@@ -1,7 +1,7 @@
 <?php $lang = $this->plugin('translate')->getTranslator()->getLocale();
 
 // set title
-$this->headTitle($activity->getName());
+$this->headTitle($this->escapeHtml($activity->getName()));
 $this->headTitle($this->translate('Activities')); ?>
 
 
@@ -15,7 +15,7 @@ $this->headTitle($this->translate('Activities')); ?>
                 </a>
             </li>
             <li class="active">
-                <?= $activity->getName() ?>
+                <?= $this->escapeHtml($activity->getName()) ?>
             </li>
         </ol>
     </div>
@@ -31,7 +31,7 @@ $this->headTitle($this->translate('Activities')); ?>
 <?php endif;?>
 
 <div class="container">
-    <h1><?= $activity->getName() ?></h1>
+    <h1><?= $this->escapeHtml($activity->getName()) ?></h1>
     <ul class="list-group">
         <li class="list-group-item agenda-item row">
             <div class="agenda-item-heading col-md-2">
@@ -43,7 +43,7 @@ $this->headTitle($this->translate('Activities')); ?>
             <div class="agenda-item-body col-md-10">
                 <div class="row">
                     <div class="col-md-8">
-                        <p><?= nl2br($activity->getDescription()) ?></p>
+                        <p><?= nl2br($this->escapeHtml($activity->getDescription())) ?></p>
                     </div>
                     <div class="col-md-4">
                         <dl>
@@ -54,13 +54,13 @@ $this->headTitle($this->translate('Activities')); ?>
                             <dd><?= $activity->getEndTime()->format('l d M Y H:i') ?></dd>
 
                             <dt><?= $this->translate('Location') ?></dt>
-                            <dd><?= $activity->getLocation(); ?></dd>
+                            <dd><?= $this->escapeHtml($activity->getLocation()) ?></dd>
 
                             <dt><?= $this->translate('Subscribe before') ?></dt>
                             <dd><?= $activity->getSubscriptionDeadline()->format('l d M Y H:i:s') ?></dd>
 
                             <dt><?= $this->translate('Costs') ?></dt>
-                            <dd><?= $this->translate((string)$activity->getCosts()) ?></dd>
+                            <dd><?= $this->escapeHtml($activity->getCosts()) ?></dd>
 
                         </dl>
                     </div>
@@ -69,10 +69,6 @@ $this->headTitle($this->translate('Activities')); ?>
         </li>
     </ul>
 
-    <!--<div class="col-md-4"><?php /*echo $activity->getId();*/?></div>
-        <div class="col-md-8"><?php /*echo $activity->getCanSignUp() ? $this->translate("Yes") : $this->translate("No"); */?></div>
-        <div class="col-md-8"><?php /*echo $activity->getOnlyGEWIS() ? $this->translate("Yes") : $this->translate("No"); */?></div>-->
-
     <?php if ($activity->getCanSignUp()): ?>
         <h2>
             <?= $this->translate('Current subscriptions') ?>
@@ -84,7 +80,7 @@ $this->headTitle($this->translate('Activities')); ?>
                         <th></th>
                         <th><?= $this->translate('Name') ?> </th>
                         <?php foreach($fields as $field):?>
-                            <th><?= $field->getName() ?></th>
+                            <th><?= $this->escapeHtml($field->getName()) ?></th>
                         <?php endforeach;?>
                     </tr>
                 </thead>
@@ -133,7 +129,7 @@ $this->headTitle($this->translate('Activities')); ?>
             <table>
                 <?php foreach($fields as $field):?>
                 <tr>
-                    <td><?= $field->getName() ?>:</td>
+                    <td><?= $this->escapeHtml($field->getName()) ?>:</td>
                     <td><?= $this->formRow($form->get($field->getId())) ?></td>
                 </tr>
                 <?php endforeach;?>

diff --git a/module/Activity/view/activity/admin/view.phtml b/module/Activity/view/activity/admin/view.phtml
@@ -4,12 +4,12 @@
         <?php $i=0; ?>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Id'); ?></div>
-            <div class="col-md-4"><?php echo $activity->getId();?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getId());?></div>
         </div>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Name'); ?></div>
-            <div class="col-md-4"><?php echo $activity->getName();?></div>
-            <div class="col-md-4"><?php echo $activity->getNameEn();?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getName());?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getNameEn());?></div>
         </div>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Start time'); ?></div>
@@ -21,13 +21,13 @@
         </div>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Location'); ?></div>
-            <div class="col-md-4"><?php echo $activity->getLocation(); ?></div>
-            <div class="col-md-4"><?php echo $activity->getLocationEn(); ?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getLocation()); ?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getLocationEn()); ?></div>
         </div>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Costs'); ?></div>
-            <div class="col-md-4"><?php echo $activity->getCosts(); ?></div>
-            <div class="col-md-4"><?php echo $activity->getCostsEn(); ?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getCosts()); ?></div>
+            <div class="col-md-4"><?php echo $this->escapeHtml($activity->getCostsEn()); ?></div>
         </div>
         <div style="<?php if($i%2==0){echo("background:#CCCCCC");}$i++; ?>" class="row">
             <div class="col-md-4"><?php echo $this->translate('Subscribe'); ?></div>
@@ -75,4 +75,4 @@
             </div>
         <?php endif; ?>`
     </div>
-</div>
+</div>
diff --git a/module/Activity/view/activity/organizer/email.phtml b/module/Activity/view/activity/organizer/email.phtml
@@ -1,7 +1,7 @@
 <?php $lang = $this->plugin('translate')->getTranslator()->getLocale();
 
 // set title
-$this->headTitle($activity->getName());
+$this->headTitle($this->escapeHtml($activity->getName());
 $this->headTitle($this->translate('Activities')); ?>
 
 
@@ -15,15 +15,15 @@ $this->headTitle($this->translate('Activities')); ?>
                     </a>
                 </li>
                 <li class="active">
-                    <?= $activity->getName() ?>
+                    <?= $this->escapeHtml($activity->getName()) ?>
                 </li>
             </ol>
         </div>
     </section>
 <?php endif; ?>
 
 <div class="container">
-    <h1><?= $this->translate('Subscription email adresses for activity ') . ' ' . $activity->getName() ?></h1>
+    <h1><?= $this->translate('Subscription email adresses for activity ') . ' ' . $this->escapeHtml($activity->getName()) ?></h1>
 
     <table class="table">
         <thead>
@@ -56,4 +56,4 @@ $this->headTitle($this->translate('Activities')); ?>
             </td>
         </tfoot>
     </table>
-</div>
+</div>
diff --git a/module/Activity/view/activity/organizer/export.phtml b/module/Activity/view/activity/organizer/export.phtml
@@ -1,7 +1,7 @@
 <?php $lang = $this->plugin('translate')->getTranslator()->getLocale();
 
 // set title
-$this->headTitle($activity->getName());
+$this->headTitle($this->escapeHtml($activity->getName());
 $this->headTitle($this->translate('Activities')); ?>
 
 
@@ -15,7 +15,7 @@ $this->headTitle($this->translate('Activities')); ?>
                     </a>
                 </li>
                 <li class="active">
-                    <?= $activity->getName() ?>
+                    <?= $this->escapeHtml($activity->getName()) ?>
                 </li>
             </ol>
         </div>
@@ -29,4 +29,4 @@ $this->headTitle($this->translate('Activities')); ?>
     ]);?>
 
     <a href="<?= $this->url('organizer_activity/exportpdf', ['id' => $activity->getId()])?>"><?= $this->translate('Download as pdf');?></a>
-</div>
+</div>
diff --git a/module/Activity/view/activity/organizer/exportTable.phtml b/module/Activity/view/activity/organizer/exportTable.phtml
@@ -4,7 +4,7 @@
             <th></th>
             <th><?= $this->translate('Name') ?></th>
             <?php foreach ($activity->getFields() as $field): ?>
-                <th><?= $field->getName() ?></th>
+                <th><?= $this->escapeHtml($field->getName()) ?></th>
             <?php endforeach; ?>
         </tr>
     </thead>
@@ -20,4 +20,4 @@
         </tr>
     <?php endforeach;?>
     </tbody>
-</table>
+</table>
diff --git a/module/Activity/view/partial/field-fieldset.phtml b/module/Activity/view/partial/field-fieldset.phtml
@@ -90,4 +90,4 @@
             </div>
         </div>
     </div>
-</div>
+</div>