@@ -569,7 +569,7 @@ functions::draw_lightbox();
569569 <?php echo functions::form_draw_hidden_field ('comments[ ' . $ key .'][author] ' , true ); ?>
570570 <?php echo functions::form_draw_hidden_field ('comments[ ' . $ key .'][text] ' , true ); ?>
571571
572- <div class="text"><?php echo nl2br ($ _POST ['comments ' ][$ key ]['text ' ]); ?> </div>
572+ <div class="text"><?php echo nl2br (functions:: escape_html ( $ _POST ['comments ' ][$ key ]['text ' ]) ); ?> </div>
573573
574574 <div class="date"><?php echo language::strftime (language::$ selected ['format_datetime ' ], !empty ($ _POST ['comments ' ][$ key ]['date_created ' ]) ? strtotime ($ _POST ['comments ' ][$ key ]['date_created ' ]) : 0 ); ?> </div>
575575
@@ -610,7 +610,7 @@ functions::draw_lightbox();
610610 <?php if (!empty ($ _POST ['items ' ])) foreach (array_keys ($ _POST ['items ' ]) as $ key ) { ?>
611611 <tr class="item">
612612 <td>
613- <?php echo !empty ($ _POST ['items ' ][$ key ]['product_id ' ]) ? '<a href=" ' . document::href_link (WS_DIR_ADMIN , ['app ' => 'catalog ' , 'doc ' => 'edit_product ' , 'product_id ' => $ _POST ['items ' ][$ key ]['product_id ' ]]) .'" target="_blank"> ' . $ _POST ['items ' ][$ key ]['name ' ] .'</a> ' : $ _POST ['items ' ][$ key ]['name ' ]; ?> <?php echo '<a class="float-end" href=" ' . document::href_ilink ('product ' , ['product_id ' => $ _POST ['items ' ][$ key ]['product_id ' ]]) .'" target="_blank"> ' . functions::draw_fonticon ('fa-external-link ' ) .'</a> ' ; ?>
613+ <?php echo !empty ($ _POST ['items ' ][$ key ]['product_id ' ]) ? '<a href=" ' . document::href_link (WS_DIR_ADMIN , ['app ' => 'catalog ' , 'doc ' => 'edit_product ' , 'product_id ' => $ _POST ['items ' ][$ key ]['product_id ' ]]) .'" target="_blank"> ' . functions:: escape_html ( $ _POST ['items ' ][$ key ]['name ' ]) .'</a> ' : functions:: escape_html ( $ _POST ['items ' ][$ key ]['name ' ]) ; ?> <?php echo '<a class="float-end" href=" ' . document::href_ilink ('product ' , ['product_id ' => $ _POST ['items ' ][$ key ]['product_id ' ]]) .'" target="_blank"> ' . functions::draw_fonticon ('fa-external-link ' ) .'</a> ' ; ?>
614614 <?php echo functions::form_draw_hidden_field ('items[ ' .$ key .'][id] ' , true ); ?>
615615 <?php echo functions::form_draw_hidden_field ('items[ ' .$ key .'][product_id] ' , true ); ?>
616616 <?php echo functions::form_draw_hidden_field ('items[ ' .$ key .'][option_stock_combination] ' , true ); ?>
@@ -628,16 +628,16 @@ functions::draw_lightbox();
628628 if (!empty ($ _POST ['items ' ][$ key ]['options ' ])) {
629629 foreach (array_keys ($ _POST ['items ' ][$ key ]['options ' ]) as $ field ) {
630630 echo '<div> ' . PHP_EOL
631- . ' - ' . $ field .': ' . PHP_EOL ;
631+ . ' - ' . functions:: escape_html ( $ field) .': ' . PHP_EOL ;
632632 if (is_array ($ _POST ['items ' ][$ key ]['options ' ][$ field ])) {
633633 $ use_comma = false ;
634634 foreach (array_keys ($ _POST ['items ' ][$ key ]['options ' ][$ field ]) as $ k ) {
635- echo ' ' . functions::form_draw_hidden_field ('items[ ' .$ key .'][options][ ' .$ field .'][ ' .$ k .'] ' , true ) . $ _POST ['items ' ][$ key ]['options ' ][$ field ][$ k ];
635+ echo ' ' . functions::form_draw_hidden_field ('items[ ' .$ key .'][options][ ' .$ field .'][ ' .$ k .'] ' , true ) . functions:: escape_html ( $ _POST ['items ' ][$ key ]['options ' ][$ field ][$ k ]) ;
636636 if ($ use_comma ) echo ', ' ;
637637 $ use_comma = true ;
638638 }
639639 } else {
640- echo ' ' . functions::form_draw_hidden_field ('items[ ' .$ key .'][options][ ' .$ field .'] ' , true ) . $ _POST ['items ' ][$ key ]['options ' ][$ field ];
640+ echo ' ' . functions::form_draw_hidden_field ('items[ ' .$ key .'][options][ ' .$ field .'] ' , true ) . functions:: escape_html ( $ _POST ['items ' ][$ key ]['options ' ][$ field ]) ;
641641 }
642642 echo '</div> ' . PHP_EOL ;
643643 }
@@ -646,12 +646,12 @@ functions::draw_lightbox();
646646 }
647647?>
648648 </td>
649- <td class="sku"><?php echo $ _POST ['items ' ][$ key ]['sku ' ]; ?> </td>
649+ <td class="sku"><?php echo functions:: escape_html ( $ _POST ['items ' ][$ key ]['sku ' ]) ; ?> </td>
650650 <td>
651- <span class="weight"><?php echo (float )$ _POST ['items ' ][$ key ]['weight ' ]; ?> </span> <span class="weight_class"><?php echo $ _POST ['items ' ][$ key ]['weight_class ' ]; ?> </span>
651+ <span class="weight"><?php echo (float )$ _POST ['items ' ][$ key ]['weight ' ]; ?> </span> <span class="weight_class"><?php echo functions:: escape_html ( $ _POST ['items ' ][$ key ]['weight_class ' ]) ; ?> </span>
652652 </td>
653653 <td>
654- <span class="dim_x"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_x ' ]; ?> </span> x <span class="dim_y"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_y ' ]; ?> </span> x <span class="dim_z"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_z ' ]; ?> </span> <span class="dim_class"><?php echo $ _POST ['items ' ][$ key ]['dim_class ' ]; ?> </span>
654+ <span class="dim_x"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_x ' ]; ?> </span> x <span class="dim_y"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_y ' ]; ?> </span> x <span class="dim_z"><?php echo (float )$ _POST ['items ' ][$ key ]['dim_z ' ]; ?> </span> <span class="dim_class"><?php echo functions:: escape_html ( $ _POST ['items ' ][$ key ]['dim_class ' ]) ; ?> </span>
655655 </td>
656656 <td><?php echo functions::form_draw_decimal_field ('items[ ' . $ key .'][quantity] ' , true , 2 ); ?> </td>
657657 <td><?php echo functions::form_draw_currency_field ($ _POST ['currency_code ' ], 'items[ ' . $ key .'][price] ' , true ); ?> </td>
0 commit comments