Escape variables in packages module

Jamie Snape · Jamie Snape · commit 4a1b9685835f · 2014-12-08T09:20:03.000-05:00
diff --git a/modules/packages/views/application/latest.phtml b/modules/packages/views/application/latest.phtml
@@ -32,8 +32,8 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
         <div id="platformList" style="display: none;">
             <?php
             foreach ($this->platforms as $platform) {
-                echo '<h3 os="'.$platform['os'].'" arch="'.$platform['arch'].'"><a href="#"></a></h3>';
-                echo '<div class="platformContainer" os="'.$platform['os'].'" arch="'.$platform['arch'].'">';
+                echo '<h3 os="'.$this->escape($platform['os']).'" arch="'.$this->escape($platform['arch']).'"><a href="#"></a></h3>';
+                echo '<div class="platformContainer" os="'.$this->escape($platform['os']).'" arch="'.$this->escape($platform['arch']).'">';
                 echo '</div>';
             }
             ?>
diff --git a/modules/packages/views/application/view.phtml b/modules/packages/views/application/view.phtml
@@ -28,11 +28,11 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
 <div class="viewMain">
     <div class="titleWrapper">
         <div class="applicationName">
-            <?php echo $this->application->getName(); ?>
+            <?php echo $this->escape($this->application->getName()); ?>
         </div>
         <?php
         if ($this->application->getDescription() != '') {
-            echo '<div class="applicationDescription">'.$this->application->getDescription().'</div>';
+            echo '<div class="applicationDescription">'.$this->escape($this->application->getDescription()).'</div>';
         }
         ?>
     </div>
@@ -41,8 +41,8 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
         <div id="packageList" style="display: none;">
             <?php
             foreach ($this->releases as $release) {
-                echo '<h3><a href="#">Version '.$release.'</a></h3>';
-                echo '<div class="releaseEntry" element="'.$release.'">';
+                echo '<h3><a href="#">Version '.$this->escape($release).'</a></h3>';
+                echo '<div class="releaseEntry" element="'.$this->escape($release).'">';
                 echo '</div>';
             }
             ?>
@@ -74,8 +74,8 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
         <h1>Actions</h1>
         <ul>
             <li>
-                <a href="<?php echo $this->webroot; ?>/packages/application/latest?applicationId=<?php echo $this->application->getKey(
-                ); ?>">
+                <a href="<?php echo $this->webroot; ?>/packages/application/latest?applicationId=<?php echo $this->escape($this->application->getKey(
+                )); ?>">
                     <img alt="" src="<?php echo $this->coreWebroot; ?>/public/images/icons/time.png"/>
                     Latest nightly packages
                 </a>
@@ -102,18 +102,18 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
             <tr>
                 <td>Name</td>
                 <td>
-                    <input type="text" name="name" value="<?php echo $this->application->getName(); ?>"/>
+                    <input type="text" name="name" value="<?php echo $this->escape($this->application->getName()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Description</td>
                 <td>
-                    <textarea class="expanding" name="description"><?php echo htmlentities(
+                    <textarea class="expanding" name="description"><?php echo $this->escape(
                             $this->application->getDescription()
                         ); ?></textarea></td>
             </tbody>
         </table>
-        <input type="hidden" name="applicationId" value="<?php echo $this->application->getKey(); ?>"/>
+        <input type="hidden" name="applicationId" value="<?php echo $this->escape($this->application->getKey()); ?>"/>
         <input type="submit" class="globalButton" value="Save"/>
     </form>
 </div>
@@ -126,7 +126,7 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/application/pac
             will be deleted, but the underlying item data will remain in place.
         </div>
         <br/><br/>
-        <input type="hidden" name="applicationId" value="<?php echo $this->application->getKey(); ?>"/>
+        <input type="hidden" name="applicationId" value="<?php echo $this->escape($this->application->getKey()); ?>"/>
 
         <div style="float: right;">
             <input style="margin-left: 0;" type="submit" class="globalButton" value="Delete"/>
diff --git a/modules/packages/views/index/viewsidebar.phtml b/modules/packages/views/index/viewsidebar.phtml
@@ -25,7 +25,7 @@
         <h1>Stats</h1>
         <ul>
             <?php
-            echo "  <li>{$this->nPackages} {$this->t('package')}".(($this->nPackages > 1) ? 's' : '')."</li>";
+            echo "  <li>{$this->escape($this->nPackages)} {$this->t('package')}".(($this->nPackages > 1) ? 's' : '')."</li>";
             ?>
         </ul>
     </div>
diff --git a/modules/packages/views/package/manage.phtml b/modules/packages/views/package/manage.phtml
@@ -26,8 +26,8 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/package/package
 <div class="viewMain">
     <div class="headerSection">
         <h2>Package Metadata</h2>
-        <a href="<?php echo $this->webroot.'/item/'.$this->package->getItem()->getKey(); ?>">
-            <?php echo $this->package->getItem()->getName(); ?>
+        <a href="<?php echo $this->webroot.'/item/'.$this->escape($this->package->getItem()->getKey()); ?>">
+            <?php echo $this->escape($this->package->getItem()->getName()); ?>
         </a>
     </div>
     <form class="genericForm packageEdit" method="POST" action="<?php echo $this->webroot; ?>/packages/package/save">
@@ -36,62 +36,62 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/package/package
             <tr>
                 <td>OS</td>
                 <td>
-                    <input type="text" name="os" value="<?php echo $this->package->getOs(); ?>"/>
+                    <input type="text" name="os" value="<?php echo $this->escape($this->package->getOs()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Architecture</td>
                 <td>
-                    <input type="text" name="arch" value="<?php echo $this->package->getArch(); ?>"/>
+                    <input type="text" name="arch" value="<?php echo $this->escape($this->package->getArch()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Revision</td>
                 <td>
-                    <input type="text" name="revision" value="<?php echo $this->package->getRevision(); ?>"/>
+                    <input type="text" name="revision" value="<?php echo $this->escape($this->package->getRevision()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Submission Type</td>
                 <td>
                     <input type="text" name="submissiontype"
-                           value="<?php echo $this->package->getSubmissiontype(); ?>"/>
+                           value="<?php echo $this->escape($this->package->getSubmissiontype()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Package Type</td>
                 <td>
-                    <input type="text" name="packagetype" value="<?php echo $this->package->getPackagetype(); ?>"/>
+                    <input type="text" name="packagetype" value="<?php echo $this->escape($this->package->getPackagetype()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Product Name</td>
                 <td>
-                    <input type="text" name="productname" value="<?php echo $this->package->getProductname(); ?>"/>
+                    <input type="text" name="productname" value="<?php echo$this->escape($this->package->getProductname()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Codebase</td>
                 <td>
-                    <input type="text" name="codebase" value="<?php echo $this->package->getCodebase(); ?>"/>
+                    <input type="text" name="codebase" value="<?php echo $this->escape($this->package->getCodebase()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Checkout Date</td>
                 <td>
-                    <input type="text" name="checkoutdate" value="<?php echo $this->package->getCheckoutdate(); ?>"/>
+                    <input type="text" name="checkoutdate" value="<?php echo $this->escape($this->package->getCheckoutdate()); ?>"/>
                 </td>
             </tr>
             <tr>
                 <td>Release Tag</td>
                 <td>
-                    <input type="text" name="release" value="<?php echo $this->package->getRelease(); ?>"/>
+                    <input type="text" name="release" value="<?php echo $this->escape($this->package->getRelease()); ?>"/>
                 </td>
             </tr>
             </tbody>
         </table>
         <br/>
-        <input type="hidden" name="packageId" value="<?php echo $this->package->getKey(); ?>"/>
+        <input type="hidden" name="packageId" value="<?php echo $this->escape($this->package->getKey()); ?>"/>
         <input class="globalButton" type="submit" value="Save"/>
     </form>
 </div>
diff --git a/modules/packages/views/view/project.phtml b/modules/packages/views/view/project.phtml
@@ -26,7 +26,7 @@
       href="<?php echo $this->moduleWebroot ?>/public/css/view/packages.view.project.css"/>
 
 <div class="packagesTabWrapper">
-    <div class="introText">The <?php echo $this->community->getName(); ?> project hosts packages for the following
+    <div class="introText">The <?php echo $this->escape($this->community->getName()); ?> project hosts packages for the following
         applications:
     </div>
 
@@ -38,11 +38,11 @@
 
         foreach ($this->applications as $application) {
             echo '<div class="applicationContainer">';
-            echo '<a class="applicationLink" href="'.$this->webroot.'/packages/application/view?applicationId='.$application->getKey(
-                ).'">';
-            echo $application->getName().'</a>';
+            echo '<a class="applicationLink" href="'.$this->webroot.'/packages/application/view?applicationId='.$this->escape($application->getKey(
+                )).'">';
+            echo $this->escape($application->getName()).'</a>';
             if ($application->getDescription() != '') {
-                echo '<div class="applicationDescription">'.$application->getDescription().'</div>';
+                echo '<div class="applicationDescription">'.$this->escape($application->getDescription()).'</div>';
             }
             echo '</div>';
         }
@@ -75,7 +75,7 @@
                 </td>
             </tbody>
         </table>
-        <input type="hidden" name="projectId" value="<?php echo $this->project->getKey(); ?>"/>
+        <input type="hidden" name="projectId" value="<?php echo $this->escape($this->project->getKey()); ?>"/>
         <input type="submit" class="globalButton" value="Create"/>
     </form>
 </div>
