Fix for PHP5.4 - Set the char encoding parameter

http://forum.nucleuscms.org/viewtopic.php?p=100719#100719
NucleusCMS · Jul 12, 2014 · 3b394d4 · 3b394d4
1 parent f6145b1
commit 3b394d4
Show file tree

Hide file tree

Showing 5 changed files with 181 additions and 175 deletions.
diff --git a/createaccount.php b/createaccount.php
@@ -113,22 +113,22 @@
 
 		Login Name (required): 
 		<br />
-		<input name="name" size="32" maxlength="32" <?php if(isset($_POST['name'])){echo 'value="'.htmlspecialchars($_POST['name']).'"';}?>/> <small>(only a-z, 0-9)</small>
+		<input name="name" size="32" maxlength="32" <?php if(isset($_POST['name'])){echo 'value="'.htmlspecialchars($_POST['name'],ENT_QUOTES,_CHARSET).'"';}?>/> <small>(only a-z, 0-9)</small>
 		<br />
 		<br />		
 		Real Name (required): 
 		<br />
-		<input name="realname" size="40" <?php if(isset($_POST['realname'])){echo 'value="'.htmlspecialchars($_POST['realname']).'"';}?>/>
+		<input name="realname" size="40" <?php if(isset($_POST['realname'])){echo 'value="'.htmlspecialchars($_POST['realname'],ENT_QUOTES,_CHARSET).'"';}?>/>
 		<br />
 		<br />		
 		Email (required):
 		<br />
-		<input name="email" size="40" <?php if(isset($_POST['email'])){echo 'value="'.htmlspecialchars($_POST['email']).'"';}?>/> <small>(must be valid, because an activation link will be sent over there)</small>
+		<input name="email" size="40" <?php if(isset($_POST['email'])){echo 'value="'.htmlspecialchars($_POST['email'],ENT_QUOTES,_CHARSET).'"';}?>/> <small>(must be valid, because an activation link will be sent over there)</small>
 		<br />
 		<br />		
 		URL: 
 		<br />
-		<input name="url" size="60" <?php if(isset($_POST['url'])){echo 'value="'.htmlspecialchars($_POST['url']).'"';}?>/>
+		<input name="url" size="60" <?php if(isset($_POST['url'])){echo 'value="'.htmlspecialchars($_POST['url'],ENT_QUOTES,_CHARSET).'"';}?>/>
 		<br />
 		<?php
 		// add extra fields from plugin, like NP_Profile

diff --git a/nucleus/bookmarklet.php b/nucleus/bookmarklet.php
@@ -208,10 +208,10 @@ function bm_loginAndPassThrough() {
 	<form method="post" action="bookmarklet.php">
 	<p>
 		<input name="action" value="login" type="hidden" />
-		<input name="blogid" value="<?php echo htmlspecialchars($blogid); ?>" type="hidden" />
-		<input name="logtext" value="<?php echo htmlspecialchars($log_text); ?>" type="hidden" />
-		<input name="loglink" value="<?php echo htmlspecialchars($log_link); ?>" type="hidden" />
-		<input name="loglinktitle" value="<?php echo htmlspecialchars($log_linktitle); ?>" type="hidden" />
+		<input name="blogid" value="<?php echo htmlspecialchars($blogid,ENT_QUOTES,_CHARSET); ?>" type="hidden" />
+		<input name="logtext" value="<?php echo htmlspecialchars($log_text,ENT_QUOTES,_CHARSET); ?>" type="hidden" />
+		<input name="loglink" value="<?php echo htmlspecialchars($log_link,ENT_QUOTES,_CHARSET); ?>" type="hidden" />
+		<input name="loglinktitle" value="<?php echo htmlspecialchars($log_linktitle,ENT_QUOTES,_CHARSET); ?>" type="hidden" />
 		<?php echo _LOGINFORM_NAME ?>:
 		<br /><input name="login" />
 		<br /><?php echo _LOGINFORM_PWD ?>:
@@ -245,19 +245,19 @@ function bm_doShowForm() {
 	$logje = '';
 
 	if ($log_text) {
-		$logje .= '<blockquote><div>"' . htmlspecialchars($log_text) . '"</div></blockquote>' . "\n";
+		$logje .= '<blockquote><div>"' . htmlspecialchars($log_text,ENT_QUOTES,_CHARSET) . '"</div></blockquote>' . "\n";
 	}
 
 	if (!$log_linktitle) {
 		$log_linktitle = $log_link;
 	}
 
 	if ($log_link) {
-		$logje .= '<a href="' . htmlspecialchars($log_link) . '">' . htmlspecialchars($log_linktitle) . '</a>';
+		$logje .= '<a href="' . htmlspecialchars($log_link,ENT_QUOTES,_CHARSET) . '">' . htmlspecialchars($log_linktitle,ENT_QUOTES,_CHARSET) . '</a>';
 	}
 
 	$item['body'] = $logje;
-	$item['title'] = htmlspecialchars($log_linktitle);
+	$item['title'] = htmlspecialchars($log_linktitle,ENT_QUOTES,_CHARSET);
 
 	$factory = new PAGEFACTORY($blogid);
 	$factory->createAddForm('bookmarklet', $item);

diff --git a/nucleus/documentation/history.html b/nucleus/documentation/history.html
@@ -27,6 +27,12 @@ <h1>Version History</h1>
 </p>
 
 <ul>
+	<li>
+		<strong>Nucleus v3.66 (April 10,2013)</strong>
+		<ul>
+			<li>FIX: Make sure we set the character encoding parameter in calls to htmlspecialchars and htmlentities. (ftruscot).</li>
+		</ul>
+	</li>
 	<li>
 		<strong>Nucleus v3.65 (March 30,2013)</strong>
 		<ul>

diff --git a/nucleus/libs/ACTIONS.php b/nucleus/libs/ACTIONS.php
@@ -260,10 +260,10 @@ function _ifAdmin($blogName = '') {
 	 */
 	function _link($url, $linktext = '')
 	{
-		$u = htmlspecialchars($url);
+		$u = htmlspecialchars($url,ENT_QUOTES,_CHARSET);
 		$u = preg_replace("/&amp;amp;/",'&amp;',$u); // fix URLs that already had encoded ampersands
 		if ($linktext != '') 
-			$l = '<a href="' . $u .'">'.htmlspecialchars($linktext).'</a>';
+			$l = '<a href="' . $u .'">'.htmlspecialchars($linktext,ENT_QUOTES,_CHARSET).'</a>';
 		else
 			$l = $u;
 		return $l;
@@ -418,7 +418,7 @@ function _postBlogContent($type, &$blog) {
 	function parse_additemform() {
 		global $blog, $CONF;
 		$this->formdata = array(
-			'adminurl' => htmlspecialchars($CONF['AdminURL'],ENT_QUOTES),
+			'adminurl' => htmlspecialchars($CONF['AdminURL'],ENT_QUOTES,_CHARSET),
 			'catid' => $blog->getDefaultCategory()
 		);
 		$blog->InsertJavaScriptInfo();
@@ -579,19 +579,19 @@ function parse_blogsetting($which) {
 		global $blog;
 		switch($which) {
 			case 'id':
-				echo htmlspecialchars($blog->getID(),ENT_QUOTES);
+				echo htmlspecialchars($blog->getID(),ENT_QUOTES,_CHARSET);
 				break;
 			case 'url':
-				echo htmlspecialchars($blog->getURL(),ENT_QUOTES);
+				echo htmlspecialchars($blog->getURL(),ENT_QUOTES,_CHARSET);
 				break;
 			case 'name':
-				echo htmlspecialchars($blog->getName(),ENT_QUOTES);
+				echo htmlspecialchars($blog->getName(),ENT_QUOTES,_CHARSET);
 				break;
 			case 'desc':
-				echo htmlspecialchars($blog->getDescription(),ENT_QUOTES);
+				echo htmlspecialchars($blog->getDescription(),ENT_QUOTES,_CHARSET);
 				break;
 			case 'short':
-				echo htmlspecialchars($blog->getShortName(),ENT_QUOTES);
+				echo htmlspecialchars($blog->getShortName(),ENT_QUOTES,_CHARSET);
 				break;
 		}
 	}
@@ -698,7 +698,7 @@ function parse_commentform($destinationurl = '') {
 			// note: createLink returns an HTML encoded URL
 		} else {
 			// HTML encode URL
-			$destinationurl = htmlspecialchars($destinationurl,ENT_QUOTES);
+			$destinationurl = htmlspecialchars($destinationurl,ENT_QUOTES,_CHARSET);
 		}
 
 		// values to prefill
@@ -714,12 +714,12 @@ function parse_commentform($destinationurl = '') {
 
 		$this->formdata = array(
 			'destinationurl' => $destinationurl,	// url is already HTML encoded
-			'actionurl' => htmlspecialchars($actionurl,ENT_QUOTES),
+			'actionurl' => htmlspecialchars($actionurl,ENT_QUOTES,_CHARSET),
 			'itemid' => $itemid,
-			'user' => htmlspecialchars($user,ENT_QUOTES),
-			'userid' => htmlspecialchars($userid,ENT_QUOTES),
-			'email' => htmlspecialchars($email,ENT_QUOTES),
-			'body' => htmlspecialchars($body,ENT_QUOTES),
+			'user' => htmlspecialchars($user,ENT_QUOTES,_CHARSET),
+			'userid' => htmlspecialchars($userid,ENT_QUOTES,_CHARSET),
+			'email' => htmlspecialchars($email,ENT_QUOTES,_CHARSET),
+			'body' => htmlspecialchars($body,ENT_QUOTES,_CHARSET),
 			'membername' => $member->getDisplayName(),
 			'rememberchecked' => cookieVar($CONF['CookiePrefix'] .'comment_user')?'checked="checked"':''
 		);
@@ -758,7 +758,7 @@ function parse_comments($template) {
 	function parse_errordiv() {
 		global $errormessage;
 		if ($errormessage)
-			echo '<div class="error">', htmlspecialchars($errormessage),'</div>';
+			echo '<div class="error">', htmlspecialchars($errormessage,ENT_QUOTES,_CHARSET),'</div>';
 	}
 
 	/**
@@ -797,11 +797,11 @@ function parse_ifcat($text = '') {
 	function parse_image($what = 'imgtag') {
 		global $CONF;
 
-		$imagetext 	= htmlspecialchars(requestVar('imagetext'));
+		$imagetext 	= htmlspecialchars(requestVar('imagetext'),ENT_QUOTES,_CHARSET);
 		$imagepopup = requestVar('imagepopup');
 		$width 		= intRequestVar('width');
 		$height 	= intRequestVar('height');
-		$fullurl 	= htmlspecialchars($CONF['MediaURL'] . $imagepopup);
+		$fullurl 	= htmlspecialchars($CONF['MediaURL'] . $imagepopup,ENT_QUOTES,_CHARSET);
 
 		switch($what)
 		{
@@ -829,7 +829,7 @@ function parse_image($what = 'imgtag') {
 	 * Parse skinvar imagetext
 	 */
 	function parse_imagetext() {
-		echo htmlspecialchars(requestVar('imagetext'),ENT_QUOTES);
+		echo htmlspecialchars(requestVar('imagetext'),ENT_QUOTES,_CHARSET);
 	}
 
 	/**
@@ -880,7 +880,7 @@ function parse_itemtitle($format = '') {
 				echo $item['title'];
 				break;
 			default:
-				echo htmlspecialchars(strip_tags($item['title']),ENT_QUOTES);
+				echo htmlspecialchars(strip_tags($item['title']),ENT_QUOTES,_CHARSET);
 				break;
 		}
 	}
@@ -914,22 +914,22 @@ function parse_member($what) {
 
 			switch($what) {
 				case 'name':
-					echo htmlspecialchars($memberinfo->getDisplayName(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getDisplayName(),ENT_QUOTES,_CHARSET);
 					break;
 				case 'realname':
-					echo htmlspecialchars($memberinfo->getRealName(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getRealName(),ENT_QUOTES,_CHARSET);
 					break;
 				case 'notes':
-					echo htmlspecialchars($memberinfo->getNotes(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getNotes(),ENT_QUOTES,_CHARSET);
 					break;
 				case 'url':
-					echo htmlspecialchars($memberinfo->getURL(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getURL(),ENT_QUOTES,_CHARSET);
 					break;
 				case 'email':
-					echo htmlspecialchars($memberinfo->getEmail(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getEmail(),ENT_QUOTES,_CHARSET);
 					break;
 				case 'id':
-					echo htmlspecialchars($memberinfo->getID(),ENT_QUOTES);
+					echo htmlspecialchars($memberinfo->getID(),ENT_QUOTES,_CHARSET);
 					break;
 			}
 		}
@@ -984,13 +984,13 @@ function parse_membermailform($rows = 10, $cols = 40, $desturl = '') {
 		$frommail = postVar('frommail');
 
 		$this->formdata = array(
-			'url' => htmlspecialchars($desturl),
-			'actionurl' => htmlspecialchars($CONF['ActionURL'],ENT_QUOTES),
+			'url' => htmlspecialchars($desturl,ENT_QUOTES,_CHARSET),
+			'actionurl' => htmlspecialchars($CONF['ActionURL'],ENT_QUOTES,_CHARSET),
 			'memberid' => $memberid,
 			'rows' => $rows,
 			'cols' => $cols,
-			'message' => htmlspecialchars($message,ENT_QUOTES),
-			'frommail' => htmlspecialchars($frommail,ENT_QUOTES)
+			'message' => htmlspecialchars($message,ENT_QUOTES,_CHARSET),
+			'frommail' => htmlspecialchars($frommail,ENT_QUOTES,_CHARSET)
 		);
 		if ($member->isLoggedIn()) {
 			$this->doForm('membermailform-loggedin');
@@ -1037,7 +1037,7 @@ function parse_nextitemtitle($format = '') {
 				echo $itemtitlenext;
 				break;
 			default:
-				echo htmlspecialchars($itemtitlenext,ENT_QUOTES);
+				echo htmlspecialchars($itemtitlenext,ENT_QUOTES,_CHARSET);
 				break;
 		}
 	}
@@ -1238,7 +1238,7 @@ function parse_previtemtitle($format = '') {
 				echo $itemtitleprev;
 				break;
 			default:
-				echo htmlspecialchars($itemtitleprev,ENT_QUOTES);
+				echo htmlspecialchars($itemtitleprev,ENT_QUOTES,_CHARSET);
 				break;
 		}
 	}
@@ -1263,14 +1263,14 @@ function parse_prevlink($linktext = '', $amount = 10) {
 	 */
 	function parse_query() {
 		global $query;
-		echo htmlspecialchars($query,ENT_QUOTES);
+		echo htmlspecialchars($query,ENT_QUOTES,_CHARSET);
 	}
 
 	/**
 	 * Parse skinvar referer
 	 */
 	function parse_referer() {
-		echo htmlspecialchars(serverVar('HTTP_REFERER'),ENT_QUOTES);
+		echo htmlspecialchars(serverVar('HTTP_REFERER'),ENT_QUOTES,_CHARSET);
 	}
 
 	/**
@@ -1286,7 +1286,7 @@ function parse_searchform($blogname = '') {
 		// use default blog when no blog is selected
 		$this->formdata = array(
 			'id' => $blog?$blog->getID():$CONF['DefaultBlog'],
-			'query' => htmlspecialchars(getVar('query'),ENT_QUOTES),
+			'query' => htmlspecialchars(getVar('query'),ENT_QUOTES,_CHARSET),
 		);
 		$this->doForm('searchform');
 	}