HTML injection fixed. IE6 CSS bugs fixed

jeroeningen · Aug 29, 2009 · 2037851 · 2037851
1 parent 9c508bf
commit 2037851
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 12 deletions.
diff --git a/app/controllers/people_controller.php b/app/controllers/people_controller.php
@@ -28,7 +28,10 @@ function index() {
 	//edit action for forumuser (uses guest account)
 	function edit() {
 		if(!empty($this->data)) {
-			$this->Person->read(null, $this->Session->read('person'));
+		    //prevent from html-injection
+		    //$this->data['Person']['description'] = strip_tags($this->data['Person']['description'], '<a><b>');
+
+		    $this->Person->read(null, $this->Session->read('person'));
 			$this->Person->saveField('description', $this->data['Person']['description']);
 			$this->redirect(array('controller' => 'people', 'action' => 'view', 'id' => $this->Session->read('person')));
 		} else {

diff --git a/app/views/elements/person/form.ctp b/app/views/elements/person/form.ctp
@@ -18,10 +18,15 @@
 	} elseif(strstr($this->params['action'], 'edit')) {
 		$parent = $this->data['Person']['parent_id'];
 	}
+
+	//fields only for admin
 	if (!empty($authUser) && $authUser['User']['username'] == 'admin') {
 		echo $form->input('name', array('label' => 'Naam')).'<br />';
 	}
+
 	echo $form->input('description', array('label' => 'Beschrijving')).'<br />';
+
+	//fields only for admin
 	if (!empty($authUser) && $authUser['User']['username'] == 'admin') {
 		if (!empty($this->params['named']['parent_id'])) {
 			echo $form->hidden('parent_id', array('value' => $parent));

diff --git a/app/views/elements/person/tree.ctp b/app/views/elements/person/tree.ctp
@@ -26,7 +26,9 @@
     		array('class' => 'modalbox_link')).'</div>';
 	}
 
-	echo '<div class="description">'.$data['Person']['description'].'</div>';
+	if (!empty($data['Person']['description'])) {
+		echo '<div class="description">'.nl2br($data['Person']['description']).'</div>';
+	}
 	echo '</div>';
 
 	//set links for admin

diff --git a/app/views/elements/person/view.ctp b/app/views/elements/person/view.ctp
@@ -15,7 +15,7 @@
 		</dd>
         <dt<?php if ($i % 2 == 0) echo $class;?>><?php __('Beschrijving'); ?></dt>
         <dd<?php if ($i++ % 2 == 0) echo $class;?>>
-            <?php echo $person['Person']['description']; ?>
+            <?php echo nl2br($person['Person']['description']); ?>
             &nbsp;
         </dd>
         <dt<?php if ($i % 2 == 0) echo $class;?>><?php __('Status'); ?></dt>

diff --git a/app/webroot/css/liber.css b/app/webroot/css/liber.css
@@ -41,26 +41,20 @@ div#logo, h2 {
     text-align: center;
 }
 
-div.link, dt, label {
-    float: left;
-}
-
-div.description {
-	display: inline-block;
-}
-
 /**
  * Modalbox & forms
  **/
 label {
+	margin: 0 1em;
 	width: 8em;
+	display: inline-block;
 }
 dd, input[type="text"], input[type="password"], textarea {
 	font-weight: normal;
 }
 
 dd {
-	margin: 0 0 0 8em;
+	margin: 0 0 1em 3em;
 }
 
 /**