guard createhtmlspecialchars

legacy/application/common/FileDataHelper.php

@@ -367,15 +367,15 @@ public static function resizeGroup($file, $ext)
     public static function renderImage($file)
     {
         if ($file && file_exists($file)) {
-           $im = @imagecreatefromjpeg($file);
+            $im = @imagecreatefromjpeg($file);
 
-           $img = $im;
+            $img = $im;
 
-           if ($im) {
-               header('Content-Type: image/jpeg');
-               imagejpeg($img);
-               imagedestroy($img);
-           }
+            if ($im) {
+                header('Content-Type: image/jpeg');
+                imagejpeg($img);
+                imagedestroy($img);
+            }
         }
     }
 

legacy/application/controllers/AudiopreviewController.php

@@ -50,13 +50,25 @@ public function audioPreviewAction()
             $media = Application_Model_StoredFile::RecallById($audioFileID);
             $uri = $baseUrl . 'api/get-media/file/' . $audioFileID;
             $mime = $media->getPropelOrm()->getDbMime();
-            $this->view->audioFileArtist = htmlspecialchars($media->getPropelOrm()->getDbArtistName());
-            $this->view->audioFileTitle = htmlspecialchars($media->getPropelOrm()->getDbTrackTitle());
+            if ($media->getPropelOrm()->getDbArtistName()) {
+                $this->view->audioFileArtist = htmlspecialchars($media->getPropelOrm()->getDbArtistName());
+            } else {
+                $this->view->audioFileArtist = '';
+            }
+            if ($media->getPropelOrm()->getDbTrackTitle()) {
+                $this->view->audioFileTitle = htmlspecialchars($media->getPropelOrm()->getDbTrackTitle());
+            } else {
+                $this->view->audioFileTitle = '';
+            }
         } elseif ($type == 'stream') {
             $webstream = CcWebstreamQuery::create()->findPk($audioFileID);
             $uri = $webstream->getDbUrl();
             $mime = $webstream->getDbMime();
-            $this->view->audioFileTitle = htmlspecialchars($webstream->getDbName());
+            if ($webstream->getDbName()) {
+                $this->view->audioFileTitle = htmlspecialchars($webstream->getDbName());
+            } else {
+                $this->view->audioFileTitle = '';
+            }
         } else {
             throw new Exception("Unknown type for audio preview!.Type={$type}");
         }

legacy/application/controllers/IndexController.php

@@ -57,8 +57,16 @@ public function indexAction()
         $podcastEpisodesService = new Application_Service_PodcastEpisodeService();
         $episodes = $podcastEpisodesService->getPodcastEpisodes($stationPodcastId, 0, 0, PodcastEpisodesPeer::PUBLICATION_DATE, 'DESC');
         foreach ($episodes as $e => $v) {
-            $episodes[$e]['CcFiles']['track_title'] = htmlspecialchars($v['CcFiles']['track_title'], ENT_QUOTES);
-            $episodes[$e]['CcFiles']['artist_name'] = htmlspecialchars($v['CcFiles']['artist_name'], ENT_QUOTES);
+            if ($v['CcFiles']['track_title']) {
+                $episodes[$e]['CcFiles']['track_title'] = htmlspecialchars($v['CcFiles']['track_title'], ENT_QUOTES);
+            } else {
+                $episodes[$e]['CcFiles']['track_title'] = '';
+            }
+            if ($v['CcFiles']['artist_name']) {
+                $episodes[$e]['CcFiles']['artist_name'] = htmlspecialchars($v['CcFiles']['artist_name'], ENT_QUOTES);
+            } else {
+                $episodes[$e]['CcFiles']['artist_name'] = '';
+            }
 
             $pubDate = explode(' ', $v['publication_date']);
             $episodes[$e]['publication_date'] = $pubDate[0];

legacy/application/controllers/ScheduleController.php

@@ -398,7 +398,7 @@ public function showContentDialogAction()
         $this->view->percentFilled = $show->getPercentScheduled();
         $this->view->showContent = $show->getShowListContent();
         $this->view->dialog = $this->view->render('schedule/show-content-dialog.phtml');
-        $this->view->showTitle = htmlspecialchars($show->getName());
+        $this->view->showTitle = $show->getName() ? htmlspecialchars($show->getName()) : '';
         unset($this->view->showContent);
     }
 

legacy/application/models/Block.php

@@ -268,8 +268,8 @@ public function getContents($filterFiles = false)
             $row['orig_length'] = $formatter->format();
 
             // XSS exploit prevention
-            $row['track_title'] = htmlspecialchars($row['track_title']);
-            $row['creator'] = htmlspecialchars($row['creator']);
+            $row['track_title'] = $row['track_title'] ? htmlspecialchars($row['track_title']) : '';
+            $row['creator'] = $row['creator'] ? htmlspecialchars($row['creator']) : '';
         }
 
         return $rows;

legacy/application/models/Playlist.php

@@ -282,12 +282,8 @@ public function getContents($filterFiles = false)
             $row['orig_length'] = $formatter->format();
 
             // XSS exploit prevention
-            if ($row['track_title']) {
-               $row['track_title'] = htmlspecialchars($row['track_title']);
-            }
-            if ($row['creator']) {
-               $row['creator'] = htmlspecialchars($row['creator']);
-            }
+            $row['track_title'] = $row['track_title'] ? htmlspecialchars($row['track_title']) : '';
+            $row['creator'] = $row['creator'] ? htmlspecialchars($row['creator']) : '';
         }
 
         return $rows;

legacy/application/models/ShowBuilder.php

@@ -232,9 +232,7 @@ private function makeHeaderRow($p_item)
         $row['endDate'] = $showEndDT->format('Y-m-d');
         $row['endTime'] = $showEndDT->format('H:i');
         $row['duration'] = floatval($showEndDT->format('U.u')) - floatval($showStartDT->format('U.u'));
-        if ($p_item['show_name']) {
-           $row['title'] = htmlspecialchars($p_item['show_name']);
-        }
+        $row['title'] = $p_item['show_name'] ? htmlspecialchars($p_item['show_name']) : '';
         $row['instance'] = intval($p_item['si_id']);
         $row['image'] = '';
 
@@ -285,15 +283,9 @@ private function makeScheduledItemRow($p_item)
             $formatter = new LengthFormatter(Application_Common_DateHelper::secondsToPlaylistTime($run_time));
             $row['runtime'] = $formatter->format();
 
-            if ($p_item['file_track_title']) {
-               $row['title'] = htmlspecialchars($p_item['file_track_title']);
-            }
-            if ($p_item['file_artist_name']) {
-               $row['creator'] = htmlspecialchars($p_item['file_artist_name']);
-            }
-            if ($p_item['file_album_title']) {
-               $row['album'] = htmlspecialchars($p_item['file_album_title']);
-            }
+            $row['title'] = $p_item['file_track_title'] ? htmlspecialchars($p_item['file_track_title']) : '';
+            $row['creator'] = $p_item['file_artist_name'] ? htmlspecialchars($p_item['file_artist_name']) : '';
+            $row['album'] = $p_item['file_album_title'] ? htmlspecialchars($p_item['file_album_title']) : '';
 
             $row['cuein'] = $p_item['cue_in'];
             $row['cueout'] = $p_item['cue_out'];

legacy/application/services/PodcastEpisodeService.php

@@ -472,6 +472,7 @@ public function _getImportedPodcastEpisodeArray($podcast, $episodes)
             if (!empty($file) && $file['import_status'] == CcFiles::IMPORT_STATUS_PENDING) {
                 $ingested = -1;
             }
+            $itemdesc = $item->get_description() ? $item->get_description() : '';
 
             array_push($episodesArray, [
                 'podcast_id' => $podcast->getDbId(),
@@ -481,7 +482,7 @@ public function _getImportedPodcastEpisodeArray($podcast, $episodes)
                 // From the RSS spec best practices:
                 // 'An item's author element provides the e-mail address of the person who wrote the item'
                 'author' => $this->_buildAuthorString($item),
-                'description' => htmlspecialchars($item->get_description()),
+                'description' => htmlspecialchars($itemdesc),
                 'pub_date' => $item->get_gmdate(),
                 'link' => $url,
                 'enclosure' => $enclosure,

legacy/application/services/PodcastService.php

@@ -62,15 +62,15 @@ public static function createFromFeedUrl($feedUrl)
         $podcastArray = [];
         $podcastArray['url'] = $feedUrl;
 
-        $podcastArray['title'] = htmlspecialchars($rss->get_title());
-        $podcastArray['description'] = htmlspecialchars($rss->get_description());
-        $podcastArray['link'] = htmlspecialchars($rss->get_link());
-        $podcastArray['language'] = htmlspecialchars($rss->get_language());
-        $podcastArray['copyright'] = htmlspecialchars($rss->get_copyright());
+        $podcastArray['title'] = $rss->get_title() ? htmlspecialchars($rss->get_title()) : '';
+        $podcastArray['description'] = $rss->get_description() ? htmlspecialchars($rss->get_description()) : '';
+        $podcastArray['link'] = $rss->get_link() ? htmlspecialchars($rss->get_link()) : '';
+        $podcastArray['language'] = $rss->get_language() ? htmlspecialchars($rss->get_language()) : '';
+        $podcastArray['copyright'] = $rss->get_copyright() ? htmlspecialchars($rss->get_copyright()) : '';
 
         $author = $rss->get_author();
         $name = empty($author) ? '' : $author->get_name();
-        $podcastArray['creator'] = htmlspecialchars($name);
+        $podcastArray['creator'] = $name ? htmlspecialchars($name) : '';
 
         $categories = [];
         if (is_array($rss->get_categories())) {
@@ -432,7 +432,7 @@ public static function createStationRssFeed()
 
             $imageUrl = Config::getPublicUrl() . 'api/station-logo';
             $image = $channel->addChild('image');
-            $image->addChild('title', htmlspecialchars($podcast->getDbTitle()));
+            $image->addChild('title', htmlspecialchars($podcast->getDbTitle() ? $podcast->getDbTitle() : ''));
             self::addEscapedChild($image, 'url', $imageUrl);
             self::addEscapedChild($image, 'link', Config::getPublicUrl());