Skip to content
Permalink
Browse files Browse the repository at this point in the history
* Escape HTML characters
  • Loading branch information
timint committed Jun 15, 2022
1 parent 8c37426 commit 050fea8
Show file tree
Hide file tree
Showing 8 changed files with 21 additions and 21 deletions.
2 changes: 1 addition & 1 deletion public_html/admin/catalog.app/edit_category.inc.php
Expand Up @@ -255,7 +255,7 @@
<?php echo functions::form_draw_hidden_field('filters['.$key.'][id]', true); ?>
<?php echo functions::form_draw_hidden_field('filters['.$key.'][attribute_group_id]', true); ?>
<?php echo functions::form_draw_hidden_field('filters['.$key.'][attribute_group_name]', true); ?>
<td class="grabable"><?php echo $_POST['filters'][$key]['attribute_group_name']; ?></td>
<td class="grabable"><?php echo functions::escape_html($_POST['filters'][$key]['attribute_group_name']); ?></td>
<td class="grabable"><?php echo functions::form_draw_checkbox('filters['.$key.'][select_multiple]', '1', true); ?></td>
<td class="text-end">
<a class="move-up" href="#" title="<?php echo language::translate('text_move_up', 'Move up'); ?>"><?php echo functions::draw_fonticon('fa-arrow-circle-up fa-lg', 'style="color: #3399cc;"'); ?></a>
Expand Down
8 changes: 4 additions & 4 deletions public_html/admin/catalog.app/edit_product.inc.php
Expand Up @@ -433,9 +433,9 @@ functions::draw_lightbox();
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][value_id]', true); ?>
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][value_name]', true); ?>
<?php echo functions::form_draw_hidden_field('attributes['.$key.'][custom_value]', true); ?>
<td><?php echo $_POST['attributes'][$key]['group_name']; ?></td>
<td><?php echo $_POST['attributes'][$key]['value_name']; ?></td>
<td><?php echo $_POST['attributes'][$key]['custom_value']; ?></td>
<td><?php echo functions::escape_html($_POST['attributes'][$key]['group_name']); ?></td>
<td><?php echo functions::escape_html($_POST['attributes'][$key]['value_name']); ?></td>
<td><?php echo functions::escape_html($_POST['attributes'][$key]['custom_value']); ?></td>
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>
</tr>
<?php } ?>
Expand Down Expand Up @@ -747,7 +747,7 @@ functions::draw_lightbox();
<tr>
<td><?php echo functions::form_draw_hidden_field('options_stock['.$key.'][id]', true); ?><?php echo functions::form_draw_hidden_field('options_stock['.$key.'][combination]', true); ?>
<?php echo functions::form_draw_hidden_field('options_stock['.$key.'][name]['. language::$selected['name'] .']', true); ?>
<?php echo $_POST['options_stock'][$key]['name'][language::$selected['code']]; ?></td>
<?php echo functions::escape_html($_POST['options_stock'][$key]['name'][language::$selected['code']]); ?></td>
<td><?php echo functions::form_draw_text_field('options_stock['.$key.'][sku]', true); ?></td>
<td>
<div class="input-group">
Expand Down
2 changes: 1 addition & 1 deletion public_html/admin/countries.app/edit_country.inc.php
Expand Up @@ -171,7 +171,7 @@
<tbody>
<?php if (!empty($_POST['zones'])) foreach (array_keys($_POST['zones']) as $key) { ?>
<tr>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo $_POST['zones'][$key]['id']; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo functions::escape_html($_POST['zones'][$key]['id']); ?></td>
<td><?php echo functions::form_draw_text_field('zones['. $key .'][code]', true); ?></td>
<td><?php echo functions::form_draw_text_field('zones['. $key .'][name]', true); ?></td>
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>
Expand Down
8 changes: 4 additions & 4 deletions public_html/admin/geo_zones.app/edit_geo_zone.inc.php
Expand Up @@ -102,10 +102,10 @@
<tbody>
<?php if (!empty($_POST['zones'])) foreach (array_keys($_POST['zones']) as $key) { ?>
<tr>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo $_POST['zones'][$key]['id']; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][country_code]', true); ?> <?php echo reference::country($_POST['zones'][$key]['country_code'])->name; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][zone_code]', true); ?> <?php echo !empty($_POST['zones'][$key]['zone_code']) ? reference::country($_POST['zones'][$key]['country_code'])->zones[$_POST['zones'][$key]['zone_code']]['name'] : '-- '.language::translate('title_all_zones', 'All Zones') .' --'; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][city]', true); ?> <?php echo !empty($_POST['zones'][$key]['city']) ? $_POST['zones'][$key]['city'] : '-- '.language::translate('title_all_cities', 'All Cities') .' --'; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][id]', true); ?><?php echo functions::escape_html($_POST['zones'][$key]['id']); ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][country_code]', true); ?> <?php echo functions::escape_html(reference::country($_POST['zones'][$key]['country_code'])->name); ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][zone_code]', true); ?> <?php echo !empty($_POST['zones'][$key]['zone_code']) ? functions::escape_html(reference::country($_POST['zones'][$key]['country_code'])->zones[$_POST['zones'][$key]['zone_code']]['name']) : '-- '.language::translate('title_all_zones', 'All Zones') .' --'; ?></td>
<td><?php echo functions::form_draw_hidden_field('zones['. $key .'][city]', true); ?> <?php echo !empty($_POST['zones'][$key]['city']) ? functions::escape_html($_POST['zones'][$key]['city']) : '-- '.language::translate('title_all_cities', 'All Cities') .' --'; ?></td>
<td class="text-end"><a class="remove" href="#" title="<?php echo language::translate('title_remove', 'Remove'); ?>"><?php echo functions::draw_fonticon('fa-times-circle fa-lg', 'style="color: #cc3333;"'); ?></a></td>
</tr>
<?php } ?>
Expand Down
16 changes: 8 additions & 8 deletions public_html/admin/orders.app/edit_order.inc.php
Expand Up @@ -569,7 +569,7 @@ functions::draw_lightbox();
<?php echo functions::form_draw_hidden_field('comments['. $key .'][author]', true); ?>
<?php echo functions::form_draw_hidden_field('comments['. $key .'][text]', true); ?>

<div class="text"><?php echo nl2br($_POST['comments'][$key]['text']); ?></div>
<div class="text"><?php echo nl2br(functions::escape_html($_POST['comments'][$key]['text'])); ?></div>

<div class="date"><?php echo language::strftime(language::$selected['format_datetime'], !empty($_POST['comments'][$key]['date_created']) ? strtotime($_POST['comments'][$key]['date_created']) : 0); ?></div>

Expand Down Expand Up @@ -610,7 +610,7 @@ functions::draw_lightbox();
<?php if (!empty($_POST['items'])) foreach (array_keys($_POST['items']) as $key) { ?>
<tr class="item">
<td>
<?php echo !empty($_POST['items'][$key]['product_id']) ? '<a href="'. document::href_link(WS_DIR_ADMIN, ['app' => 'catalog', 'doc' => 'edit_product', 'product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. $_POST['items'][$key]['name'] .'</a>' : $_POST['items'][$key]['name']; ?> <?php echo '<a class="float-end" href="'. document::href_ilink('product', ['product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::draw_fonticon('fa-external-link') .'</a>'; ?>
<?php echo !empty($_POST['items'][$key]['product_id']) ? '<a href="'. document::href_link(WS_DIR_ADMIN, ['app' => 'catalog', 'doc' => 'edit_product', 'product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::escape_html($_POST['items'][$key]['name']) .'</a>' : functions::escape_html($_POST['items'][$key]['name']); ?> <?php echo '<a class="float-end" href="'. document::href_ilink('product', ['product_id' => $_POST['items'][$key]['product_id']]) .'" target="_blank">'. functions::draw_fonticon('fa-external-link') .'</a>'; ?>
<?php echo functions::form_draw_hidden_field('items['.$key.'][id]', true); ?>
<?php echo functions::form_draw_hidden_field('items['.$key.'][product_id]', true); ?>
<?php echo functions::form_draw_hidden_field('items['.$key.'][option_stock_combination]', true); ?>
Expand All @@ -628,16 +628,16 @@ functions::draw_lightbox();
if (!empty($_POST['items'][$key]['options'])) {
foreach (array_keys($_POST['items'][$key]['options']) as $field) {
echo '<div>' . PHP_EOL
. ' - '. $field .': ' . PHP_EOL;
. ' - '. functions::escape_html($field) .': ' . PHP_EOL;
if (is_array($_POST['items'][$key]['options'][$field])) {
$use_comma = false;
foreach (array_keys($_POST['items'][$key]['options'][$field]) as $k) {
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']['.$k.']', true) . $_POST['items'][$key]['options'][$field][$k];
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']['.$k.']', true) . functions::escape_html($_POST['items'][$key]['options'][$field][$k]);
if ($use_comma) echo ', ';
$use_comma = true;
}
} else {
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']', true) . $_POST['items'][$key]['options'][$field];
echo ' ' . functions::form_draw_hidden_field('items['.$key.'][options]['.$field.']', true) . functions::escape_html($_POST['items'][$key]['options'][$field]);
}
echo '</div>' . PHP_EOL;
}
Expand All @@ -646,12 +646,12 @@ functions::draw_lightbox();
}
?>
</td>
<td class="sku"><?php echo $_POST['items'][$key]['sku']; ?></td>
<td class="sku"><?php echo functions::escape_html($_POST['items'][$key]['sku']); ?></td>
<td>
<span class="weight"><?php echo (float)$_POST['items'][$key]['weight']; ?></span> <span class="weight_class"><?php echo $_POST['items'][$key]['weight_class']; ?></span>
<span class="weight"><?php echo (float)$_POST['items'][$key]['weight']; ?></span> <span class="weight_class"><?php echo functions::escape_html($_POST['items'][$key]['weight_class']); ?></span>
</td>
<td>
<span class="dim_x"><?php echo (float)$_POST['items'][$key]['dim_x']; ?></span> x <span class="dim_y"><?php echo (float)$_POST['items'][$key]['dim_y']; ?></span> x <span class="dim_z"><?php echo (float)$_POST['items'][$key]['dim_z']; ?></span> <span class="dim_class"><?php echo $_POST['items'][$key]['dim_class']; ?></span>
<span class="dim_x"><?php echo (float)$_POST['items'][$key]['dim_x']; ?></span> x <span class="dim_y"><?php echo (float)$_POST['items'][$key]['dim_y']; ?></span> x <span class="dim_z"><?php echo (float)$_POST['items'][$key]['dim_z']; ?></span> <span class="dim_class"><?php echo functions::escape_html($_POST['items'][$key]['dim_class']); ?></span>
</td>
<td><?php echo functions::form_draw_decimal_field('items['. $key .'][quantity]', true, 2); ?></td>
<td><?php echo functions::form_draw_currency_field($_POST['currency_code'], 'items['. $key .'][price]', true); ?></td>
Expand Down
2 changes: 1 addition & 1 deletion public_html/admin/orders.app/orders.inc.php
Expand Up @@ -282,7 +282,7 @@
<td><?php echo functions::draw_fonticon($order['order_status_icon'].' fa-fw', 'style="color: '. $order['order_status_color'] .';"'); ?></td>
<td><?php echo $order['id']; ?></td>
<td><?php echo (!empty($order['starred'])) ? functions::draw_fonticon('fa-star', 'style="color: #f2b01e;"') : functions::draw_fonticon('fa-star-o', 'style="color: #ccc;"'); ?></td>
<td><a href="<?php echo document::href_link('', ['app' => 'orders', 'doc' => 'edit_order', 'order_id' => $order['id'], 'redirect_url' => $_SERVER['REQUEST_URI']]); ?>"><?php echo $order['customer_company'] ? $order['customer_company'] : $order['customer_firstname'] .' '. $order['customer_lastname']; ?><?php echo empty($order['customer_id']) ? ' <em>('. language::translate('title_guest', 'Guest') .')</em>' : ''; ?></a> <span style="opacity: 0.5;"><?php echo $order['customer_tax_id']; ?></span></td>
<td><a href="<?php echo document::href_link('', ['app' => 'orders', 'doc' => 'edit_order', 'order_id' => $order['id'], 'redirect_url' => $_SERVER['REQUEST_URI']]); ?>"><?php echo functions::escape_html($order['customer_company'] ? $order['customer_company'] : $order['customer_firstname'] .' '. $order['customer_lastname']); ?><?php echo empty($order['customer_id']) ? ' <em>('. language::translate('title_guest', 'Guest') .')</em>' : ''; ?></a> <span style="opacity: 0.5;"><?php echo functions::escape_html($order['customer_tax_id']); ?></span></td>
<td><?php echo !empty($order['customer_country_code']) ? reference::country($order['customer_country_code'])->name : ''; ?></td>
<td><?php echo $order['payment_option_name']; ?></td>
<td class="text-end"><?php echo currency::format($order['payment_due'], false, $order['currency_code'], $order['currency_value']); ?></td>
Expand Down
Expand Up @@ -106,7 +106,7 @@
<tbody>
<?php foreach ($customers as $customer) { ?>
<tr>
<td><?php echo !empty($customer['id']) ? '<a href="'. document::link(WS_DIR_ADMIN, ['app' => 'customers', 'doc' => 'edit_customer', 'customer_id' => $customer['id']]) .'">'. $customer['name'] .'</a>' : $customer['name'] .' <em>('. language::translate('title_guest', 'Guest') .')</em>'; ?></td>
<td><?php echo !empty($customer['id']) ? '<a href="'. document::link(WS_DIR_ADMIN, ['app' => 'customers', 'doc' => 'edit_customer', 'customer_id' => $customer['id']]) .'">'. functions::escape_html($customer['name']) .'</a>' : functions::escape_html($customer['name']) .' <em>('. language::translate('title_guest', 'Guest') .')</em>'; ?></td>
<td><?php echo $customer['email']; ?></td>
<td style="text-align: end;"><?php echo currency::format($customer['total_amount'], false, settings::get('store_currency_code')); ?></td>
</tr>
Expand Down
Expand Up @@ -42,7 +42,7 @@
<div id="comments" class="bubbles">
<?php foreach ($comments as $comment) { ?>
<div class="bubble <?php echo $comment['type']; ?>">
<div class="text"><?php echo nl2br($comment['text']); ?></div>
<div class="text"><?php echo nl2br(functions::escape_html($comment['text'])); ?></div>
<div class="date"><?php echo language::strftime(language::$selected['format_datetime'], strtotime($comment['date_created'])); ?></div>
</div>
<?php } ?>
Expand Down

0 comments on commit 050fea8

Please sign in to comment.