Skip to content
This repository has been archived by the owner on Sep 10, 2021. It is now read-only.

Commit

Permalink
Escape variables in core
Browse files Browse the repository at this point in the history
  • Loading branch information
Jamie Snape committed Dec 8, 2014
1 parent b1f67b9 commit 0a6ffd8
Show file tree
Hide file tree
Showing 59 changed files with 503 additions and 622 deletions.
14 changes: 7 additions & 7 deletions core/AppController.php
View file
Expand Up @@ -250,33 +250,33 @@ public function preDispatch()
if ($this->logged) {
$this->addDynamicHelp(
'#startingGuideLink',
'Show the <b>Starting Guide</b>. You can disable these messages from this panel.'
'Show the Starting Guide. You can disable these messages from this panel.'
);
} else {
$this->addDynamicHelp(
'.HeaderLogo',
'The <b>Midas Platform</b> integrates multimedia server technology with open-source data analysis and visualization clients.'
'The Midas Platform integrates multimedia server technology with open-source data analysis and visualization clients.'
);
}

$this->addDynamicHelp(
'.HeaderSearch',
'<b>Quick search</b>. Use this tool to quickly find information and data.'
'Quick search. Use this tool to quickly find information and data.'
);
$this->addDynamicHelp('li.uploadFile a', '<b>Upload</b> files, data using this button.');
$this->addDynamicHelp('li.uploadFile a', 'Upload files, data using this button.');

if ($this->logged) {
$this->addDynamicHelp('#topUserName', '<b>Manage</b> your information.', 'bottom left', 'top right');
$this->addDynamicHelp('#topUserName', 'Manage your information.', 'bottom left', 'top right');
} else {
$this->addDynamicHelp(
'.registerLink',
'<b>Register</b> to create your personal space.',
'Register to create your personal space.',
'bottom left',
'top right'
);
}

$this->addDynamicHelp('.SideBar ul:first', '<b>Navigation menu</b>. Browse, explore and manage data.');
$this->addDynamicHelp('.SideBar ul:first', 'Navigation menu. Browse, explore and manage data.');
}

Zend_Loader::loadClass('JsonComponent', BASE_PATH.'/core/controllers/components');
Expand Down
12 changes: 6 additions & 6 deletions core/controllers/AdminController.php
View file
Expand Up @@ -416,15 +416,15 @@ public function serversidefilechooserAction()
)
) {
if (is_dir($_POST['dir'].$file)) {
echo "<li class=\"directory collapsed\"><a href=\"#\" rel=\"".htmlentities(
$_POST['dir'].$file
)."/\">".htmlentities($file)."</a></li>";
echo "<li class=\"directory collapsed\"><a href=\"#\" rel=\"".htmlspecialchars(
$_POST['dir'].$file, ENT_QUOTES, 'UTF-8'
)."/\">".htmlspecialchars($file, ENT_QUOTES, 'UTF-8')."</a></li>";
} else {
// not a directory: a file!
$ext = preg_replace('/^.*\./', '', $file);
echo "<li class=\"file ext_".$ext."\"><a href=\"#\" rel=\"".htmlentities(
$_POST['dir'].$file
)."\">".htmlentities($file)."</a></li>";
echo "<li class=\"file ext_".$ext."\"><a href=\"#\" rel=\"".htmlspecialchars(
$_POST['dir'].$file, ENT_QUOTES, 'UTF-8'
)."\">".htmlspecialchars($file, ENT_QUOTES, 'UTF-8')."</a></li>";
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions core/controllers/CommunityController.php
View file
Expand Up @@ -303,7 +303,7 @@ public function indexAction()

$this->addDynamicHelp(
'.communityList:first',
'List of current projects/communities hosted on MIDAS.',
'List of current projects/communities hosted on Midas.',
'top right',
'bottom left'
);
Expand Down Expand Up @@ -402,7 +402,7 @@ public function viewAction()

$this->view->title .= ' - '.$communityDao->getName();
$this->view->metaDescription = substr(
UtilityComponent::markdown($communityDao->getDescription()),
UtilityComponent::markdown(htmlspecialchars($communityDao->getDescription(), ENT_QUOTES, 'UTF-8')),
0,
160
);
Expand Down
2 changes: 1 addition & 1 deletion core/controllers/FeedController.php
View file
Expand Up @@ -61,7 +61,7 @@ public function indexAction()

$this->addDynamicHelp(
'.feedContainer',
'The <b>Feed</b> shows recent actions and events.',
'The Feed shows recent actions and events.',
'top right',
'bottom left'
);
Expand Down
27 changes: 3 additions & 24 deletions core/controllers/IndexController.php
View file
Expand Up @@ -18,33 +18,12 @@
limitations under the License.
=========================================================================*/

/**
* IndexController
* Index Controller
*/
/** Index controller. */
class IndexController extends AppController
{
public $_models = array('Item');
public $_daos = array();
public $_components = array();

/**
* Index Action (first action when we access the application)
*/
/** Index action. */
public function indexAction()
{
$this->redirect("/feed");
}

/** no javascript */
public function nojsAction()
{
$this->disableLayout();
}

/** no valid browser */
public function nobrowserAction()
{
$this->disableLayout();
$this->redirect('/community');
}
}
56 changes: 28 additions & 28 deletions core/controllers/components/NotifyErrorComponent.php
View file
Expand Up @@ -47,8 +47,8 @@ public function fatalError($logger)
switch ($environment) {
case 'production':
$message = "The system has encountered the following error:<br/><h3>";
$message .= $e['message']."<br/>";
$message .= "In ".$e['file'].", line: ".$e['line']."<br/>";
$message .= htmlspecialchars($e['message'], ENT_QUOTES, 'UTF-8')."<br/>";
$message .= "In ".htmlspecialchars($e['file'], ENT_QUOTES, 'UTF-8').", line: ".htmlspecialchars($e['line'], ENT_QUOTES, 'UTF-8')."<br/>";
$message .= "At ".date("H:i:s Y-m-d")."</h3><br/>";
$message .= "Please notify your administrator with this information.<br/>";
if ($e['type'] == E_NOTICE) {
Expand Down Expand Up @@ -123,14 +123,14 @@ public function warningError($errno, $errstr, $errfile, $errline)
{
if ($errno == E_WARNING && Zend_Registry::get('configGlobal')->environment != 'production'
) {
$message = "Warning: ".$errstr."<br/>\n on line ".$errline." in file ".$errfile."<br/>\n";
$message = "Warning: ".htmlspecialchars($errstr, ENT_QUOTES, 'UTF-8')."<br/>\n on line ".htmlspecialchars($errline, ENT_QUOTES, 'UTF-8')." in file ".htmlspecialchars($errfile, ENT_QUOTES, 'UTF-8')."<br/>\n";
$this->getLogger()->warn($message);
echo $message;
}

if ($errno == E_NOTICE && Zend_Registry::get('configGlobal')->environment != 'production'
) {
$message = "Notice : ".$errstr."<br/>\non line ".$errline." in file ".$errfile."<br/>\n";
$message = "Notice : ".htmlspecialchars($errstr, ENT_QUOTES, 'UTF-8')."<br/>\non line ".htmlspecialchars($errline, ENT_QUOTES, 'UTF-8')." in file ".htmlspecialchars($errfile, ENT_QUOTES, 'UTF-8')."<br/>\n";
$this->getLogger()->warn($message);
echo $message;
}
Expand Down Expand Up @@ -160,36 +160,36 @@ public function curPageURL()
public function getFatalErrorMessage($e)
{
$message = "Fatal Error: ";
$message .= print_r($e, true);
$message .= htmlspecialchars(print_r($e, true), ENT_QUOTES, 'UTF-8');
$message .= "\n\n";
$message .= "URL: ".$this->curPageURL();
$message .= "URL: ".htmlspecialchars($this->curPageURL(), ENT_QUOTES, 'UTF-8');
$message .= "\n\n";
if (!empty($this->_server['SERVER_ADDR'])) {
$message .= "Server IP: ".$this->_server['SERVER_ADDR']."\n";
$message .= "Server IP: ".htmlspecialchars($this->_server['SERVER_ADDR'], ENT_QUOTES, 'UTF-8')."\n";
}

if (!empty($this->_server['HTTP_USER_AGENT'])) {
$message .= "User agent: ".$this->_server['HTTP_USER_AGENT']."\n";
$message .= "User agent: ".htmlspecialchars($this->_server['HTTP_USER_AGENT'], ENT_QUOTES, 'UTF-8')."\n";
}

if (!empty($this->_server['HTTP_X_REQUESTED_WITH'])) {
$message .= "Request type: ".$this->_server['HTTP_X_REQUESTED_WITH']."\n";
$message .= "Request type: ".htmlspecialchars($this->_server['HTTP_X_REQUESTED_WITH'], ENT_QUOTES, 'UTF-8')."\n";
}

$message .= "Server time: ".date('Y-m-d H:i:s')."\n";

if (!empty($this->_server['HTTP_REFERER'])) {
$message .= "Referer: ".$this->_server['HTTP_REFERER']."\n";
$message .= "Referer: ".htmlspecialchars($this->_server['HTTP_REFERER'], ENT_QUOTES, 'UTF-8')."\n";
}
$message .= "Parameters (post): Array\n(\n";
foreach ($_POST as $key => $value) {
if (strpos(strtolower($key), 'password') !== false) {
$message .= ' ['.$key."] => --redacted--\n";
$message .= ' ['.htmlspecialchars($key, ENT_QUOTES, 'UTF-8')."] => --redacted--\n";
} else {
$message .= ' ['.$key.'] => '.$value."\n";
$message .= ' ['.htmlspecialchars($key, ENT_QUOTES, 'UTF-8').'] => '.htmlspecialchars($value, ENT_QUOTES, 'UTF-8')."\n";
}
}
$message .= ")\nParameters (get): ".print_r($_GET, true)."\n\n";
$message .= ")\nParameters (get): ".htmlspecialchars(print_r($_GET, true), ENT_QUOTES, 'UTF-8')."\n\n";

return $message;
}
Expand All @@ -200,36 +200,36 @@ public function getFullErrorMessage()
$message = '';

if (!empty($this->_server['SERVER_ADDR'])) {
$message .= "Server IP: ".$this->_server['SERVER_ADDR']."\n";
$message .= "Server IP: ".htmlspecialchars($this->_server['SERVER_ADDR'], ENT_QUOTES, 'UTF-8')."\n";
}
if (!empty($this->_server['REMOTE_ADDR'])) {
$message .= "Client IP: ".$this->_server['REMOTE_ADDR']."\n";
$message .= "Client IP: ".htmlspecialchars($this->_server['REMOTE_ADDR'], ENT_QUOTES, 'UTF-8')."\n";
}

if (!empty($this->_server['HTTP_USER_AGENT'])) {
$message .= "User agent: ".$this->_server['HTTP_USER_AGENT']."\n";
$message .= "User agent: ".htmlspecialchars($this->_server['HTTP_USER_AGENT'], ENT_QUOTES, 'UTF-8')."\n";
}

if (!empty($this->_server['HTTP_X_REQUESTED_WITH'])) {
$message .= "Request type: ".$this->_server['HTTP_X_REQUESTED_WITH']."\n";
$message .= "Request type: ".htmlspecialchars($this->_server['HTTP_X_REQUESTED_WITH'], ENT_QUOTES, 'UTF-8')."\n";
}

$message .= "Server time: ".date('Y-m-d H:i:s')."\n";
$message .= "RequestURI: ".$this->_error->request->getRequestUri()."\n";
$message .= "RequestURI: ".htmlspecialchars($this->_error->request->getRequestUri(), ENT_QUOTES, 'UTF-8')."\n";

if (!empty($this->_server['HTTP_REFERER'])) {
$message .= "Referer: ".$this->_server['HTTP_REFERER']."\n";
$message .= "Referer: ".htmlspecialchars($this->_server['HTTP_REFERER'], ENT_QUOTES, 'UTF-8')."\n";
}

$message .= "<b>Message: ".$this->_error->exception->getMessage()."</b>\n\n";
$message .= "Trace:\n".$this->_error->exception->getTraceAsString()."\n\n";
$message .= "Request data: ".var_export($this->_error->request->getParams(), true)."\n\n";
$message .= "<b>Message: ".htmlspecialchars($this->_error->exception->getMessage(), ENT_QUOTES, 'UTF-8')."</b>\n\n";
$message .= "Trace:\n".htmlspecialchars($this->_error->exception->getTraceAsString(), ENT_QUOTES, 'UTF-8')."\n\n";
$message .= "Request data: ".htmlspecialchars(var_export($this->_error->request->getParams(), true), ENT_QUOTES, 'UTF-8')."\n\n";

$it = $this->_session->getIterator();

$message .= "Session data:\n";
foreach ($it as $key => $value) {
$message .= $key.": ".var_export($value, true)."\n";
$message .= htmlspecialchars($key, ENT_QUOTES, 'UTF-8').": ".htmlspecialchars(var_export($value, true), ENT_QUOTES, 'UTF-8')."\n";
}
$message .= "\n";

Expand All @@ -243,15 +243,15 @@ public function getShortErrorMessage()
switch ($this->_environment) {
case 'production':
$message = "The system has encountered the following error:<br/><h3>";
$message .= $this->_error->exception->getMessage()."<br/>";
$message .= "In ".$this->_error->exception->getFile().", line: ".$this->_error->exception->getLine(
)."<br/>";
$message .= htmlspecialchars($this->_error->exception->getMessage(), ENT_QUOTES, 'UTF-8')."<br/>";
$message .= "In ".htmlspecialchars($this->_error->exception->getFile(), ENT_QUOTES, 'UTF-8').", line: ".htmlspecialchars($this->_error->exception->getLine(
), ENT_QUOTES, 'UTF-8')."<br/>";
$message .= "At ".date("H:i:s Y-m-d")."</h3><br/>";
$message .= "Please notify your administrator with this information.<br/>";
break;
default:
$message .= "Message: ".$this->_error->exception->getMessage()."\n\n";
$message .= "Trace:\n".$this->_error->exception->getTraceAsString()."\n\n";
$message .= "Message: ".htmlspecialchars($this->_error->exception->getMessage(), ENT_QUOTES, 'UTF-8')."\n\n";
$message .= "Trace:\n".htmlspecialchars($this->_error->exception->getTraceAsString(), ENT_QUOTES, 'UTF-8')."\n\n";
}

return $message;
Expand Down
2 changes: 1 addition & 1 deletion core/controllers/components/UtilityComponent.php
View file
Expand Up @@ -59,7 +59,7 @@ public function toXml($data, $rootNodeName = 'data', $xml = null)
$this->toXml($value, $rootNodeName, $node);
} else {
// add single node.
$value = htmlentities($value);
$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
$xml->addChild($key, $value);
}
}
Expand Down
18 changes: 9 additions & 9 deletions core/views/admin/dashboard.phtml
View file
Expand Up @@ -23,22 +23,22 @@

<?php
foreach ($this->dashboard as $module => $dasboard) {
echo "<h3>".ucfirst($module)."</h3>";
echo "<table>";
echo '<h3>'.ucfirst($this->escape($module)).'</h3>';
echo '<table>';
foreach ($dasboard as $name => $status) {
echo "<tr>";
echo " <td>$name </td>";
echo '<tr>';
echo '<td>'.$this->escape($name).'</td>';
if ($status[0]) {
echo " <td><img src='{$this->coreWebroot}/public/images/icons/ok.png' /></td>";
echo '<td><img src="'.$this->coreWebroot.'/public/images/icons/ok.png" /></td>';
} else {
echo " <td><img src='{$this->coreWebroot}/public/images/icons/nok.png' /></td>";
echo '<td><img src="'.$this->coreWebroot.'public/images/icons/nok.png" /></td>';
}
if (isset($status[1])) {
echo " <td>$status[1]</td>";
echo '<td>'.$this->escape($status[1]).'</td>';
}
echo "</tr>";
echo '</tr>';
}
echo "</table>";
echo '</table>';
}
?>

Expand Down

0 comments on commit 0a6ffd8

Please sign in to comment.