Skip to content

Commit

Permalink
Quotes not properly handled within form input #1421
Browse files Browse the repository at this point in the history
  • Loading branch information
Fasse committed Jun 1, 2023
1 parent 4715cea commit a7c211b
Show file tree
Hide file tree
Showing 16 changed files with 39 additions and 39 deletions.
2 changes: 1 addition & 1 deletion adm_program/modules/announcements/announcements_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
$form->addInput(
'ann_headline',
$gL10n->get('SYS_TITLE'),
$announcement->getValue('ann_headline', 'database'),
$announcement->getValue('ann_headline'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);
$form->addSelectBoxForCategories(
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/categories/categories_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ function showHideViewRightControl() {
$form->addInput(
'cat_name',
$gL10n->get('SYS_NAME'),
$category->getValue('cat_name', 'database'),
$category->getValue('cat_name'),
array('maxLength' => 100, 'property' => $fieldPropertyCatName)
);

Expand Down
6 changes: 3 additions & 3 deletions adm_program/modules/dates/dates_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ function setLocationCountry() {
$form->addInput(
'dat_headline',
$gL10n->get('SYS_TITLE'),
$date->getValue('dat_headline', 'database'),
$date->getValue('dat_headline'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);

Expand All @@ -230,7 +230,7 @@ function setLocationCountry() {
$form->addInput(
'dat_location',
$gL10n->get('DAT_LOCATION'),
$date->getValue('dat_location', 'database'),
$date->getValue('dat_location'),
array('maxLength' => 100, 'helpTextIdLabel' => 'DAT_LOCATION_LINK')
);

Expand All @@ -247,7 +247,7 @@ function setLocationCountry() {
$form->addInput(
'dat_location',
$gL10n->get('DAT_LOCATION'),
$date->getValue('dat_location', 'database'),
$date->getValue('dat_location'),
array('maxLength' => 100)
);
}
Expand Down
4 changes: 2 additions & 2 deletions adm_program/modules/documents-files/rename.php
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
}

// read folder data to rename the folder
$originalName = $targetFolder->getValue('fol_name', 'database');
$originalName = $targetFolder->getValue('fol_name');
$createUserId = (int) $targetFolder->getValue('fol_usr_id');
$createTimestamp = $targetFolder->getValue('fol_timestamp');

Expand All @@ -98,7 +98,7 @@
}

if ($formValues['new_description'] == null) {
$formValues['new_description'] = $targetFolder->getValue('fol_description', 'database');
$formValues['new_description'] = $targetFolder->getValue('fol_description');
}
}
} catch (AdmException $e) {
Expand Down
6 changes: 3 additions & 3 deletions adm_program/modules/groups-roles/groups_roles_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -137,13 +137,13 @@ function markRoleRight(srcRight, destRight, checked) {
$form->addInput(
'rol_name',
$gL10n->get('SYS_NAME'),
$role->getValue('rol_name', 'database'),
$role->getValue('rol_name'),
array('maxLength' => 100, 'property' => $fieldProperty)
);
$form->addMultilineTextInput(
'rol_description',
$gL10n->get('SYS_DESCRIPTION'),
$role->getValue('rol_description', 'database'),
$role->getValue('rol_description'),
3,
array('property' => ($eventRole ? HtmlForm::FIELD_READONLY : HtmlForm::FIELD_DEFAULT), 'maxLength' => 4000)
);
Expand Down Expand Up @@ -356,7 +356,7 @@ function markRoleRight(srcRight, destRight, checked) {
$form->addInput('rol_start_time', $gL10n->get('SYS_TIME_FROM'), $role->getValue('rol_start_time'), array('type' => 'time'));
$form->addInput('rol_end_time', $gL10n->get('SYS_TIME_TO'), $role->getValue('rol_end_time'), array('type' => 'time'));
$form->addSelectBox('rol_weekday', $gL10n->get('SYS_WEEKDAY'), DateTimeExtended::getWeekdays(), array('defaultValue' => $role->getValue('rol_weekday')));
$form->addInput('rol_location', $gL10n->get('SYS_LOCATION'), $role->getValue('rol_location', 'database'), array('maxLength' => 100));
$form->addInput('rol_location', $gL10n->get('SYS_LOCATION'), $role->getValue('rol_location'), array('maxLength' => 100));
$form->closeGroupBox();

$form->openGroupBox('gb_dependencies', $gL10n->get('SYS_DEPENDENCIES').'  ('.$gL10n->get('SYS_OPTIONAL').')');
Expand Down
4 changes: 2 additions & 2 deletions adm_program/modules/guestbook/guestbook_comment_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -124,14 +124,14 @@
$form->addInput(
'gbc_name',
$gL10n->get('SYS_NAME'),
$gbComment->getValue('gbc_name', 'database'),
$gbComment->getValue('gbc_name'),
array('maxLength' => 60, 'property' => HtmlForm::FIELD_DISABLED)
);
} else {
$form->addInput(
'gbc_name',
$gL10n->get('SYS_NAME'),
$gbComment->getValue('gbc_name', 'database'),
$gbComment->getValue('gbc_name'),
array('maxLength' => 60, 'property' => HtmlForm::FIELD_REQUIRED)
);
}
Expand Down
4 changes: 2 additions & 2 deletions adm_program/modules/guestbook/guestbook_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -112,14 +112,14 @@
$form->addInput(
'gbo_name',
$gL10n->get('SYS_NAME'),
$guestbook->getValue('gbo_name', 'database'),
$guestbook->getValue('gbo_name'),
array('maxLength' => 60, 'property' => HtmlForm::FIELD_DISABLED)
);
} else {
$form->addInput(
'gbo_name',
$gL10n->get('SYS_NAME'),
$guestbook->getValue('gbo_name', 'database'),
$guestbook->getValue('gbo_name'),
array('maxLength' => 60, 'property' => HtmlForm::FIELD_REQUIRED)
);
}
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/links/links_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
$form->addInput(
'lnk_name',
$gL10n->get('SYS_LINK_NAME'),
$link->getValue('lnk_name', 'database'),
$link->getValue('lnk_name'),
array('maxLength' => 250, 'property' => HtmlForm::FIELD_REQUIRED)
);
$form->addInput(
Expand Down
10 changes: 5 additions & 5 deletions adm_program/modules/menu/menu_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -135,23 +135,23 @@ function subMenu(&$menuList, $level, $menId, $parentId = null)
$form->addInput(
'men_name',
$gL10n->get('SYS_NAME'),
$menu->getValue('men_name', 'database'),
$menu->getValue('men_name'),
array('maxLength' => 100, 'property'=> HtmlForm::FIELD_REQUIRED, 'helpTextIdLabel' => 'SYS_MENU_NAME_DESC')
);

if ($getMenuUuid !== '') {
$form->addInput(
'men_name_intern',
$gL10n->get('SYS_INTERNAL_NAME'),
$menu->getValue('men_name_intern', 'database'),
$menu->getValue('men_name_intern'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_DISABLED, 'helpTextIdLabel' => 'SYS_INTERNAL_NAME_DESC')
);
}

$form->addMultilineTextInput(
'men_description',
$gL10n->get('SYS_DESCRIPTION'),
$menu->getValue('men_description', 'database'),
$menu->getValue('men_description'),
2,
array('maxLength' => 4000)
);
Expand Down Expand Up @@ -193,15 +193,15 @@ function subMenu(&$menuList, $level, $menId, $parentId = null)
$form->addInput(
'men_url',
$gL10n->get('SYS_URL'),
$menu->getValue('men_url', 'database'),
$menu->getValue('men_url'),
array('maxLength' => 2000, 'property' => $fieldRequired)
);
}

$form->addInput(
'men_icon',
$gL10n->get('SYS_ICON'),
$menu->getValue('men_icon', 'database'),
$menu->getValue('men_icon'),
array(
'maxLength' => 100,
'helpTextIdLabel' => $gL10n->get('SYS_FONT_AWESOME_DESC', array('<a href="https://fontawesome.com/icons?d=gallery&s=brands,solid&m=free" target="_blank">', '</a>')),
Expand Down
6 changes: 3 additions & 3 deletions adm_program/modules/messages/messages_write.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
$messageStatement = $message->getConversation($message->getValue('msg_id'));
}

$getSubject = $message->getValue('msg_subject', 'database');
$getSubject = $message->getValue('msg_subject');
if($gCurrentUserId !== $message->getValue('msg_usr_id_sender')) {
$user = new User($gDb, $gProfileFields, $message->getValue('msg_usr_id_sender'));
} else {
Expand Down Expand Up @@ -243,7 +243,7 @@
$form->addInput(
'msg_subject',
$gL10n->get('SYS_SUBJECT'),
$message->getValue('msg_subject', 'database'),
$message->getValue('msg_subject'),
array('maxLength' => 77, 'property' => HtmlForm::FIELD_REQUIRED)
);
} else {
Expand Down Expand Up @@ -544,7 +544,7 @@
$form->addInput(
'msg_subject',
$gL10n->get('SYS_SUBJECT'),
$message->getValue('msg_subject', 'database'),
$message->getValue('msg_subject'),
array('maxLength' => 77, 'property' => HtmlForm::FIELD_REQUIRED)
);

Expand Down
6 changes: 3 additions & 3 deletions adm_program/modules/photos/photo_album_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ function subfolder(int $parentId, string $vorschub, int $currentAlbumPhoId)
$form->addInput(
'pho_name',
$gL10n->get('PHO_ALBUM'),
$photoAlbum->getValue('pho_name', 'database'),
$photoAlbum->getValue('pho_name'),
array('property' => HtmlForm::FIELD_REQUIRED, 'maxLength' => 50)
);
subfolder(0, '', $photoAlbum->getValue('pho_id'));
Expand Down Expand Up @@ -143,13 +143,13 @@ function subfolder(int $parentId, string $vorschub, int $currentAlbumPhoId)
$form->addInput(
'pho_photographers',
$gL10n->get('PHO_PHOTOGRAPHER'),
$photoAlbum->getValue('pho_photographers', 'database'),
$photoAlbum->getValue('pho_photographers'),
array('maxLength' => 100)
);
$form->addMultilineTextInput(
'pho_description',
$gL10n->get('SYS_DESCRIPTION'),
$photoAlbum->getValue('pho_description', 'database'),
$photoAlbum->getValue('pho_description'),
6,
array('maxLength' => 4000)
);
Expand Down
8 changes: 4 additions & 4 deletions adm_program/modules/profile-fields/profile_fields_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,14 @@
$form->addInput(
'usf_name',
$gL10n->get('SYS_NAME'),
$userField->getValue('usf_name', 'database'),
$userField->getValue('usf_name'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_DISABLED)
);
} else {
$form->addInput(
'usf_name',
$gL10n->get('SYS_NAME'),
$userField->getValue('usf_name', 'database'),
$userField->getValue('usf_name'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);
}
Expand Down Expand Up @@ -171,7 +171,7 @@
$form->addMultilineTextInput(
'usf_value_list',
$gL10n->get('ORG_VALUE_LIST'),
$userField->getValue('usf_value_list', 'database'),
$userField->getValue('usf_value_list'),
6,
array('property' => HtmlForm::FIELD_REQUIRED, 'helpTextIdLabel' => 'ORG_VALUE_LIST_DESC')
);
Expand Down Expand Up @@ -234,7 +234,7 @@
$form->addInput(
'usf_icon',
$gL10n->get('SYS_ICON'),
$userField->getValue('usf_icon', 'database'),
$userField->getValue('usf_icon'),
array(
'maxLength' => 100,
'helpTextIdLabel' => $gL10n->get('SYS_FONT_AWESOME_DESC', array('<a href="https://fontawesome.com/icons?d=gallery&s=brands,solid&m=free" target="_blank">', '</a>'))
Expand Down
2 changes: 1 addition & 1 deletion adm_program/modules/rooms/rooms_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
$form->addInput(
'room_name',
$gL10n->get('SYS_ROOM'),
$room->getValue('room_name', 'database'),
$room->getValue('room_name'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);
$form->addInput(
Expand Down
12 changes: 6 additions & 6 deletions adm_program/modules/userrelations/relationtypes_new.php
Original file line number Diff line number Diff line change
Expand Up @@ -49,19 +49,19 @@
$form->addInput(
'urt_name',
$gL10n->get('SYS_NAME'),
$relationType1->getValue('urt_name', 'database'),
$relationType1->getValue('urt_name'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);
$form->addInput(
'urt_name_male',
$gL10n->get('SYS_MALE'),
($relationType1->getValue('urt_name_male') !== $relationType1->getValue('urt_name')) ? $relationType1->getValue('urt_name_male', 'database') : '',
($relationType1->getValue('urt_name_male') !== $relationType1->getValue('urt_name')) ? $relationType1->getValue('urt_name_male') : '',
array('maxLength' => 100)
);
$form->addInput(
'urt_name_female',
$gL10n->get('SYS_FEMALE'),
($relationType1->getValue('urt_name_female') !== $relationType1->getValue('urt_name')) ? $relationType1->getValue('urt_name_female', 'database') : '',
($relationType1->getValue('urt_name_female') !== $relationType1->getValue('urt_name')) ? $relationType1->getValue('urt_name_female') : '',
array('maxLength' => 100)
);
$form->addCheckbox(
Expand Down Expand Up @@ -130,19 +130,19 @@ function updateRelationType(element, duration) {
$form->addInput(
'urt_name_inverse',
$gL10n->get('SYS_NAME'),
$relationType2->getValue('urt_name', 'database'),
$relationType2->getValue('urt_name'),
array('maxLength' => 100, 'property' => HtmlForm::FIELD_REQUIRED)
);
$form->addInput(
'urt_name_male_inverse',
$gL10n->get('SYS_MALE'),
($relationType2->getValue('urt_name_male') !== $relationType2->getValue('urt_name')) ? $relationType2->getValue('urt_name_male', 'database') : '',
($relationType2->getValue('urt_name_male') !== $relationType2->getValue('urt_name')) ? $relationType2->getValue('urt_name_male') : '',
array('maxLength' => 100)
);
$form->addInput(
'urt_name_female_inverse',
$gL10n->get('SYS_FEMALE'),
($relationType2->getValue('urt_name_female') !== $relationType2->getValue('urt_name')) ? $relationType2->getValue('urt_name_female', 'database') : '',
($relationType2->getValue('urt_name_female') !== $relationType2->getValue('urt_name')) ? $relationType2->getValue('urt_name_female') : '',
array('maxLength' => 100)
);
$form->addCheckbox(
Expand Down
2 changes: 1 addition & 1 deletion adm_program/system/classes/HtmlForm.php
Original file line number Diff line number Diff line change
Expand Up @@ -757,7 +757,7 @@ public function addInput($id, $label, $value, array $options = array())

$optionsAll["attributes"] = $attributes;
// replace quotes with html entities to prevent xss attacks
$optionsAll['value'] = htmlentities($value, ENT_QUOTES);
$optionsAll['value'] = $value;

// required field should not be highlighted so set it to a default field
if (!$this->showRequiredFields && $optionsAll['property'] === self::FIELD_REQUIRED) {
Expand Down
2 changes: 1 addition & 1 deletion adm_program/system/classes/HtmlFormBasic.php
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ public function addOption($value, $label, $id = null, $selected = false, $disabl
{
$this->addElement('option');
// replace quotes with html entities to prevent xss attacks
$this->addAttribute('value', htmlentities($value, ENT_QUOTES));
$this->addAttribute('value', $value);

if ($id !== null) {
$this->addAttribute('id', $id);
Expand Down

0 comments on commit a7c211b

Please sign in to comment.