Skip to content

Commit 050fea8

Browse files
committed
* Escape HTML characters
1 parent 8c37426 commit 050fea8

File tree

8 files changed

+21
-21
lines changed

8 files changed

+21
-21
lines changed

Diff for: public_html/admin/catalog.app/edit_category.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -255,7 +255,7 @@
255255
<?php echo functions::form_draw_hidden_field('filters['.$key.'][id]', true); ?>
256256
<?php echo functions::form_draw_hidden_field('filters['.$key.'][attribute_group_id]', true); ?>
257257
<?php echo functions::form_draw_hidden_field('filters['.$key.'][attribute_group_name]', true); ?>
258-
<td class="grabable"><?php echo $_POST['filters'][$key]['attribute_group_name']; ?></td>
258+
<td class="grabable"><?php echo functions::escape_html($_POST['filters'][$key]['attribute_group_name']); ?></td>
259259
<td class="grabable"><?php echo functions::form_draw_checkbox('filters['.$key.'][select_multiple]', '1', true); ?></td>
260260
<td class="text-end">
261261
<a class="move-up" href="#" title="<?php echo language::translate('text_move_up', 'Move up'); ?>"><?php echo functions::draw_fonticon('fa-arrow-circle-up fa-lg', 'style="color: #3399cc;"'); ?></a>

Diff for: public_html/admin/catalog.app/edit_product.inc.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -433,9 +433,9 @@ functions::draw_lightbox();
433433
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][value_id]', true); ?>
434434
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][value_name]', true); ?>
435435
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][custom_value]', true); ?>
436-
<td><?php echo $_POST['attributes'][$key]['group_name']; ?></td>
437-
<td><?php echo $_POST['attributes'][$key]['value_name']; ?></td>
438-
<td><?php echo $_POST['attributes'][$key]['custom_value']; ?></td>
436+
<td><?php echo functions::escape_html($_POST['attributes'][$key]['group_name']); ?></td>
437+
<td><?php echo functions::escape_html($_POST['attributes'][$key]['value_name']); ?></td>
438+
<td><?php echo functions::escape_html($_POST['attributes'][$key]['custom_value']); ?></td>
439439
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>
440440
</tr>
441441
<?php } ?>
@@ -747,7 +747,7 @@ functions::draw_lightbox();
747747
<tr>
748748
<td><?php echo functions::form_draw_hidden_field('options_stock['.$key.'][id]', true); ?><?php echo functions::form_draw_hidden_field('options_stock['.$key.'][combination]', true); ?>
749749
<?php echo functions::form_draw_hidden_field('options_stock['.$key.'][name]['. language::$selected['name'] .']', true); ?>
750-
<?php echo $_POST['options_stock'][$key]['name'][language::$selected['code']]; ?></td>
750+
<?php echo functions::escape_html($_POST['options_stock'][$key]['name'][language::$selected['code']]); ?></td>
751751
<td><?php echo functions::form_draw_text_field('options_stock['.$key.'][sku]', true); ?></td>
752752
<td>
753753
<div class="input-group">

Diff for: public_html/admin/countries.app/edit_country.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@
171171
<tbody>
172172
<?php if (!empty($_POST['zones'])) foreach (array_keys($_POST['zones']) as $key) { ?>
173173
<tr>
174-
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo $_POST['zones'][$key]['id']; ?></td>
174+
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo functions::escape_html($_POST['zones'][$key]['id']); ?></td>
175175
<td><?php echo functions::form_draw_text_field('zones['. $key .'][code]', true); ?></td>
176176
<td><?php echo functions::form_draw_text_field('zones['. $key .'][name]', true); ?></td>
177177
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>

Diff for: public_html/admin/geo_zones.app/edit_geo_zone.inc.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -102,10 +102,10 @@
102102
<tbody>
103103
<?php if (!empty($_POST['zones'])) foreach (array_keys($_POST['zones']) as $key) { ?>
104104
<tr>
105-
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo $_POST['zones'][$key]['id']; ?></td>
106-
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][country_code]', true); ?> <?php echo reference::country($_POST['zones'][$key]['country_code'])->name; ?></td>
107-
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][zone_code]', true); ?> <?php echo !empty($_POST['zones'][$key]['zone_code']) ? reference::country($_POST['zones'][$key]['country_code'])->zones[$_POST['zones'][$key]['zone_code']]['name'] : '-- '.language::translate('title_all_zones', 'All Zones') .' --'; ?></td>
108-
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][city]', true); ?> <?php echo !empty($_POST['zones'][$key]['city']) ? $_POST['zones'][$key]['city'] : '-- '.language::translate('title_all_cities', 'All Cities') .' --'; ?></td>
105+
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo functions::escape_html($_POST['zones'][$key]['id']); ?></td>
106+
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][country_code]', true); ?> <?php echo functions::escape_html(reference::country($_POST['zones'][$key]['country_code'])->name); ?></td>
107+
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][zone_code]', true); ?> <?php echo !empty($_POST['zones'][$key]['zone_code']) ? functions::escape_html(reference::country($_POST['zones'][$key]['country_code'])->zones[$_POST['zones'][$key]['zone_code']]['name']) : '-- '.language::translate('title_all_zones', 'All Zones') .' --'; ?></td>
108+
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][city]', true); ?> <?php echo !empty($_POST['zones'][$key]['city']) ? functions::escape_html($_POST['zones'][$key]['city']) : '-- '.language::translate('title_all_cities', 'All Cities') .' --'; ?></td>
109109
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>
110110
</tr>
111111
<?php } ?>

Diff for: public_html/admin/orders.app/edit_order.inc.php

+8-8
Original file line numberDiff line numberDiff line change
@@ -569,7 +569,7 @@ functions::draw_lightbox();
569569
<?php echo functions::form_draw_hidden_field('comments['. $key .'][author]', true); ?>
570570
<?php echo functions::form_draw_hidden_field('comments['. $key .'][text]', true); ?>
571571

572-
<div class="text"><?php echo nl2br($_POST['comments'][$key]['text']); ?></div>
572+
<div class="text"><?php echo nl2br(functions::escape_html($_POST['comments'][$key]['text'])); ?></div>
573573

574574
<div class="date"><?php echo language::strftime(language::$selected['format_datetime'], !empty($_POST['comments'][$key]['date_created']) ? strtotime($_POST['comments'][$key]['date_created']) : 0); ?></div>
575575

@@ -610,7 +610,7 @@ functions::draw_lightbox();
610610
<?php if (!empty($_POST['items'])) foreach (array_keys($_POST['items']) as $key) { ?>
611611
<tr class="item">
612612
<td>
613-
<?php echo !empty($_POST['items'][$key]['product_id']) ? '<a href="'. document::href_link(WS_DIR_ADMIN, ['app' => 'catalog', 'doc' => 'edit_product', 'product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. $_POST['items'][$key]['name'] .'</a>' : $_POST['items'][$key]['name']; ?> <?php echo '<a class="float-end" href="'. document::href_ilink('product', ['product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::draw_fonticon('fa-external-link') .'</a>'; ?>
613+
<?php echo !empty($_POST['items'][$key]['product_id']) ? '<a href="'. document::href_link(WS_DIR_ADMIN, ['app' => 'catalog', 'doc' => 'edit_product', 'product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::escape_html($_POST['items'][$key]['name']) .'</a>' : functions::escape_html($_POST['items'][$key]['name']); ?> <?php echo '<a class="float-end" href="'. document::href_ilink('product', ['product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::draw_fonticon('fa-external-link') .'</a>'; ?>
614614
<?php echo functions::form_draw_hidden_field('items['.$key.'][id]', true); ?>
615615
<?php echo functions::form_draw_hidden_field('items['.$key.'][product_id]', true); ?>
616616
<?php echo functions::form_draw_hidden_field('items['.$key.'][option_stock_combination]', true); ?>
@@ -628,16 +628,16 @@ functions::draw_lightbox();
628628
if (!empty($_POST['items'][$key]['options'])) {
629629
foreach (array_keys($_POST['items'][$key]['options']) as $field) {
630630
echo '<div>' . PHP_EOL
631-
. ' - '. $field .': ' . PHP_EOL;
631+
. ' - '. functions::escape_html($field) .': ' . PHP_EOL;
632632
if (is_array($_POST['items'][$key]['options'][$field])) {
633633
$use_comma = false;
634634
foreach (array_keys($_POST['items'][$key]['options'][$field]) as $k) {
635-
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']['.$k.']', true) . $_POST['items'][$key]['options'][$field][$k];
635+
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']['.$k.']', true) . functions::escape_html($_POST['items'][$key]['options'][$field][$k]);
636636
if ($use_comma) echo ', ';
637637
$use_comma = true;
638638
}
639639
} else {
640-
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']', true) . $_POST['items'][$key]['options'][$field];
640+
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']', true) . functions::escape_html($_POST['items'][$key]['options'][$field]);
641641
}
642642
echo '</div>' . PHP_EOL;
643643
}
@@ -646,12 +646,12 @@ functions::draw_lightbox();
646646
}
647647
?>
648648
</td>
649-
<td class="sku"><?php echo $_POST['items'][$key]['sku']; ?></td>
649+
<td class="sku"><?php echo functions::escape_html($_POST['items'][$key]['sku']); ?></td>
650650
<td>
651-
<span class="weight"><?php echo (float)$_POST['items'][$key]['weight']; ?></span> <span class="weight_class"><?php echo $_POST['items'][$key]['weight_class']; ?></span>
651+
<span class="weight"><?php echo (float)$_POST['items'][$key]['weight']; ?></span> <span class="weight_class"><?php echo functions::escape_html($_POST['items'][$key]['weight_class']); ?></span>
652652
</td>
653653
<td>
654-
<span class="dim_x"><?php echo (float)$_POST['items'][$key]['dim_x']; ?></span> x <span class="dim_y"><?php echo (float)$_POST['items'][$key]['dim_y']; ?></span> x <span class="dim_z"><?php echo (float)$_POST['items'][$key]['dim_z']; ?></span> <span class="dim_class"><?php echo $_POST['items'][$key]['dim_class']; ?></span>
654+
<span class="dim_x"><?php echo (float)$_POST['items'][$key]['dim_x']; ?></span> x <span class="dim_y"><?php echo (float)$_POST['items'][$key]['dim_y']; ?></span> x <span class="dim_z"><?php echo (float)$_POST['items'][$key]['dim_z']; ?></span> <span class="dim_class"><?php echo functions::escape_html($_POST['items'][$key]['dim_class']); ?></span>
655655
</td>
656656
<td><?php echo functions::form_draw_decimal_field('items['. $key .'][quantity]', true, 2); ?></td>
657657
<td><?php echo functions::form_draw_currency_field($_POST['currency_code'], 'items['. $key .'][price]', true); ?></td>

Diff for: public_html/admin/orders.app/orders.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -282,7 +282,7 @@
282282
<td><?php echo functions::draw_fonticon($order['order_status_icon'].' fa-fw', 'style="color: '. $order['order_status_color'] .';"'); ?></td>
283283
<td><?php echo $order['id']; ?></td>
284284
<td><?php echo (!empty($order['starred'])) ? functions::draw_fonticon('fa-star', 'style="color: #f2b01e;"') : functions::draw_fonticon('fa-star-o', 'style="color: #ccc;"'); ?></td>
285-
<td><a href="<?php echo document::href_link('', ['app' => 'orders', 'doc' => 'edit_order', 'order_id' => $order['id'], 'redirect_url' => $_SERVER['REQUEST_URI']]); ?>"><?php echo $order['customer_company'] ? $order['customer_company'] : $order['customer_firstname'] .' '. $order['customer_lastname']; ?><?php echo empty($order['customer_id']) ? ' <em>('. language::translate('title_guest', 'Guest') .')</em>' : ''; ?></a> <span style="opacity: 0.5;"><?php echo $order['customer_tax_id']; ?></span></td>
285+
<td><a href="<?php echo document::href_link('', ['app' => 'orders', 'doc' => 'edit_order', 'order_id' => $order['id'], 'redirect_url' => $_SERVER['REQUEST_URI']]); ?>"><?php echo functions::escape_html($order['customer_company'] ? $order['customer_company'] : $order['customer_firstname'] .' '. $order['customer_lastname']); ?><?php echo empty($order['customer_id']) ? ' <em>('. language::translate('title_guest', 'Guest') .')</em>' : ''; ?></a> <span style="opacity: 0.5;"><?php echo functions::escape_html($order['customer_tax_id']); ?></span></td>
286286
<td><?php echo !empty($order['customer_country_code']) ? reference::country($order['customer_country_code'])->name : ''; ?></td>
287287
<td><?php echo $order['payment_option_name']; ?></td>
288288
<td class="text-end"><?php echo currency::format($order['payment_due'], false, $order['currency_code'], $order['currency_value']); ?></td>

Diff for: public_html/admin/reports.app/most_shopping_customers.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@
106106
<tbody>
107107
<?php foreach ($customers as $customer) { ?>
108108
<tr>
109-
<td><?php echo !empty($customer['id']) ? '<a href="'. document::link(WS_DIR_ADMIN, ['app' => 'customers', 'doc' => 'edit_customer', 'customer_id' => $customer['id']]) .'">'. $customer['name'] .'</a>' : $customer['name'] .' <em>('. language::translate('title_guest', 'Guest') .')</em>'; ?></td>
109+
<td><?php echo !empty($customer['id']) ? '<a href="'. document::link(WS_DIR_ADMIN, ['app' => 'customers', 'doc' => 'edit_customer', 'customer_id' => $customer['id']]) .'">'. functions::escape_html($customer['name']) .'</a>' : functions::escape_html($customer['name']) .' <em>('. language::translate('title_guest', 'Guest') .')</em>'; ?></td>
110110
<td><?php echo $customer['email']; ?></td>
111111
<td style="text-align: end;"><?php echo currency::format($customer['total_amount'], false, settings::get('store_currency_code')); ?></td>
112112
</tr>

Diff for: public_html/includes/templates/default.catalog/pages/order.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242
<div id="comments" class="bubbles">
4343
<?php foreach ($comments as $comment) { ?>
4444
<div class="bubble <?php echo $comment['type']; ?>">
45-
<div class="text"><?php echo nl2br($comment['text']); ?></div>
45+
<div class="text"><?php echo nl2br(functions::escape_html($comment['text'])); ?></div>
4646
<div class="date"><?php echo language::strftime(language::$selected['format_datetime'], strtotime($comment['date_created'])); ?></div>
4747
</div>
4848
<?php } ?>

0 commit comments

Comments
 (0)