Escape variables in remoteprocessing module

Jamie Snape · Jamie Snape · commit 77eff8d58469 · 2014-12-08T09:20:04.000-05:00
diff --git a/modules/remoteprocessing/Notification.php b/modules/remoteprocessing/Notification.php
@@ -96,15 +96,15 @@ public function getActionMenu($params)
             $html = "<li>
             <a href='".Zend_Registry::get(
                     'webroot'
-                )."/remoteprocessing/executable/define/?itemId=".$params['item']->getKey(
+                )."/remoteprocessing/executable/define/?itemId=".htmlspecialchars($params['item']->getKey(), ENT_QUOTES, 'UTF-8'
                 )."'><img alt='' src='".Zend_Registry::get(
                     'coreWebroot'
                 )."/public/images/icons/xml.png'/> ".$this->t('Define Executable')."</a>
           </li>
           <li>
             <a href='".Zend_Registry::get(
                     'webroot'
-                )."/remoteprocessing/job/init/?itemId=".$params['item']->getKey(
+                )."/remoteprocessing/job/init/?itemId=".htmlspecialchars($params['item']->getKey(), ENT_QUOTES, 'UTF-8'
                 )."'><img alt='' src='".Zend_Registry::get(
                     'coreWebroot'
                 )."/public/images/icons/job.png'/> ".$this->t('Create a Job')."</a>
@@ -158,10 +158,10 @@ public function getItemInfo($params)
                 }
 
                 $html .= "<li>";
-                $html .= "<a  element='".$item->getKey()."' href='".Zend_Registry::get(
+                $html .= "<a  element='".htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8')."' href='".Zend_Registry::get(
                         'webroot'
-                    )."/item/".$item->getKey()."'>".$component->slicename(
-                        $item->getName(),
+                    )."/item/".htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8')."'>".$component->slicename(
+                        htmlspecialchars($item->getName(), ENT_QUOTES, 'UTF-8'),
                         25
                     )."</a>";
                 $html .= "</li>";
@@ -187,9 +187,9 @@ public function getItemInfo($params)
                     $name = $job->getCreationDate();
                 }
                 $html .= "<li>";
-                $html .= "<a  element='".$job->getKey()."' href='".Zend_Registry::get(
+                $html .= "<a  element='".htmlspecialchars($job->getKey(), ENT_QUOTES, 'UTF-8')."' href='".Zend_Registry::get(
                         'webroot'
-                    )."/remoteprocessing/job/view/?jobId=".$job->getKey()."'>".$name."</a>";
+                    )."/remoteprocessing/job/view/?jobId=".htmlspecialchars($job->getKey(), ENT_QUOTES, 'UTF-8')."'>".htmlspecialchars($name, ENT_QUOTES, 'UTF-8')."</a>";
                 $html .= "</li>";
                 if ($i > 3) {
                     $html .= "<li>...</li>";
diff --git a/modules/remoteprocessing/controllers/IndexController.php b/modules/remoteprocessing/controllers/IndexController.php
@@ -26,9 +26,4 @@ public function selectactionAction()
     {
         $this->disableLayout();
     }
-
-    /** dashboard */
-    public function dashboardAction()
-    {
-    }
 }
diff --git a/modules/remoteprocessing/public/js/index/index.selectaction.js b/modules/remoteprocessing/public/js/index/index.selectaction.js
@@ -3,10 +3,6 @@
 $('img#processButtonImg').show();
 $('img#processButtonLoadiing').hide();
 
-$('#blockDashboardLink').click(function () {
-    'use strict';
-    window.location.replace($('.webroot').val() + '/remoteprocessing/index/dashboard');
-});
 $('#blockManageScheduledLink').click(function () {
     'use strict';
     window.location.replace($('.webroot').val() + '/remoteprocessing/job/manage');
diff --git a/modules/remoteprocessing/views/executable/define.phtml b/modules/remoteprocessing/views/executable/define.phtml
@@ -32,8 +32,8 @@ if ($this->isAjax) {
         <?php
         if (!$this->isAjax) {
             echo '<div style="float:right;margin-right:2px;" class="genericBigButton ">';
-            echo "<a  href='{$this->webroot}/item/{$this->itemDao->getKey(
-            )}'><img style='float:left;margin-right:2px;' alt='' src='{$this->coreWebroot}/public/images/icons/back.png'/>";
+            echo "<a  href='{$this->webroot}/item/{$this->escape($this->itemDao->getKey(
+            ))}'><img style='float:left;margin-right:2px;' alt='' src='{$this->coreWebroot}/public/images/icons/back.png'/>";
             echo $this->t('Back');
             echo "</a>";
             echo '</div>';
@@ -44,7 +44,7 @@ if ($this->isAjax) {
     </div>
 
     This page allow you to define the execution options of the item:
-    <b><?php echo $this->itemDao->getName() ?></b>.<br/>These option are used to defined how the MIDAS Platform will use
+    <b><?php echo $this->escape($this->itemDao->getName()); ?></b>.<br/>These option are used to defined how the Midas Platform will use
     the item to create remote processing tasks.
     <br/>
     <br/>
@@ -75,4 +75,4 @@ if ($this->isAjax) {
 </div>
 
 <div id="jsonMetadataContent"><?php echo $this->jsonMetadata ?></div>
-<input type="hidden" id="itemIdExecutable" value="<?php echo $this->itemDao->getKey() ?>"/>
+<input type="hidden" id="itemIdExecutable" value="<?php echo $this->escape($this->itemDao->getKey()); ?>"/>
diff --git a/modules/remoteprocessing/views/index/dashboard.phtml b/modules/remoteprocessing/views/index/dashboard.phtml
diff --git a/modules/remoteprocessing/views/index/selectaction.phtml b/modules/remoteprocessing/views/index/selectaction.phtml
@@ -31,21 +31,6 @@
     </div>
     <br/>
 
-    <div class="blockSet" id="blockDashboardLink">
-        <table>
-            <tbody>
-            <tr>
-                <td class="logo">
-                    <img alt="" src="<?php echo $this->moduleWebroot ?>/public/images/bigicon-dashboard.png"/>
-                </td>
-                <td>
-                    <h4>Access your dashboard</h4>
-                    <span style="color:grey;">The dasboard shows the results and the status of your jobs.</span>
-                </td>
-            </tr>
-            </tbody>
-        </table>
-    </div>
     <div class="blockSet" id="blockManageScheduledLink">
         <table>
             <tbody>
diff --git a/modules/remoteprocessing/views/job/getinitexecutable.phtml b/modules/remoteprocessing/views/job/getinitexecutable.phtml
@@ -21,15 +21,15 @@
 $i = 0;
 foreach ($this->metaContent->option as $option) {
     if (isset($option->field) && isset($option->field->required) && $option->field->required == 1) {
-        echo "<div id='option_".$i."' name='".htmlentities(
+        echo "<div id='option_".$i."' name='".$this->escape(
                 ucfirst($option->name)
-            )."' class='optionWrapper' isrequired ='true' tag='".htmlentities($option->tag)."'>";
-        echo "<h4>".ucfirst($option->name)." (required)</h4>";
+            )."' class='optionWrapper' isrequired ='true' tag='".$this->escape($option->tag)."'>";
+        echo "<h4>".$this->escape(ucfirst($option->name))." (required)</h4>";
     } else {
-        echo "<div id='option_".$i."' name='".htmlentities(
+        echo "<div id='option_".$i."' name='".$this->escape(
                 ucfirst($option->name)
-            )."' class='optionWrapper'  tag='".htmlentities($option->tag)."'>";
-        echo "<h4>".ucfirst($option->name)."</h4>";
+            )."' class='optionWrapper'  tag='".$this->escape($option->tag)."'>";
+        echo "<h4>".$this->escape(ucfirst($option->name))."</h4>";
     }
 
     $type = 'inputParam';
@@ -66,6 +66,6 @@ function elementInputFile($i, $option, $scheduled)
 function elementInputParam($i, $option)
 {
     echo "Value (".ucfirst(
-            $option->field->type
-        )."): <input variable='".$option->field->type."' type='text' qtip='Example multiple values: <b>5;6;9</b><br/>Example range with a step of 0.5: <b>5-10(0.5)</b>' class='valueInputOption'/>";
+            htmlspecialchars($option->field->type, ENT_QUOTES, 'UTF-8')
+        )."): <input variable='".htmlspecialchars($option->field->type, ENT_QUOTES, 'UTF-8')."' type='text' qtip='Example multiple values: <b>5;6;9</b><br/>Example range with a step of 0.5: <b>5-10(0.5)</b>' class='valueInputOption'/>";
 }
diff --git a/modules/remoteprocessing/views/job/init.phtml b/modules/remoteprocessing/views/job/init.phtml
@@ -88,9 +88,9 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jquery.sma
         </div>
         <br/><br/>
         <b>Selected Item:</b>
-        <span id="selectedExecutable"><?php echo (isset($this->itemDao)) ? $this->itemDao->getName() : 'None' ?></span>
+        <span id="selectedExecutable"><?php echo (isset($this->itemDao)) ? $this->escape($this->itemDao->getName()) : 'None' ?></span>
         <input type="hidden" id="selectedExecutableId"
-               value="<?php echo (isset($this->itemDao)) ? $this->itemDao->getKey() : '' ?>"/>
+               value="<?php echo (isset($this->itemDao)) ? $this->escape($this->itemDao->getKey()) : '' ?>"/>
 
         <div id="metaWrapper">
             <h3>Meta information</h3>
diff --git a/modules/remoteprocessing/views/job/manage.phtml b/modules/remoteprocessing/views/job/manage.phtml
@@ -55,9 +55,9 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/job/job.manage.
             </thead>
             <?php
             foreach ($this->relatedJobs as $job) {
-                echo "<tr element='".$job->getKey()."v'>";
-                echo "<td>".$job->getName()."</td>";
-                echo "<td>".$job->getCreationDate()."</td>";
+                echo "<tr element='".$this->escape($job->getKey())."v'>";
+                echo "<td>".$this->escape($job->getName())."</td>";
+                echo "<td>".$this->escape($job->getCreationDate())."</td>";
                 if ($job->getStatus() == MIDAS_REMOTEPROCESSING_STATUS_DONE) {
                     echo "<td class='elementStatus'>Done</td>";
                 } else {
@@ -104,9 +104,9 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/job/job.manage.
             <?php
             foreach ($this->scheduledJobs as $job) {
                 $params = JsonComponent::decode($job->getParams());
-                echo "<tr element='".$job->getKey()."v'>";
-                echo "<td>".$params['params']['job_name']."</td>";
-                echo "<td>".$job->getFireTime()."</td>";
+                echo "<tr element='".$this->escape($job->getKey())."v'>";
+                echo "<td>".$this->escape($params['params']['job_name'])."</td>";
+                echo "<td>".$this->escape($job->getFireTime())."</td>";
                 echo "<td>Scheduled</td>";
                 echo "</tr>";
             }
diff --git a/modules/remoteprocessing/views/job/view.phtml b/modules/remoteprocessing/views/job/view.phtml
@@ -57,21 +57,21 @@ if ($this->job->getStatus() == MIDAS_REMOTEPROCESSING_STATUS_DONE) {
 }
 ?>
 
-<h4>Job Status: <?php echo $jobStatus ?></h4>
+<h4>Job Status: <?php echo $this->escape($jobStatus); ?></h4>
 
 <?php
 if ($this->executable != false) {
     ?>
     <h4>Executable:
-        <a href="<?php echo $this->webroot ?>/item/<?php echo $this->executable->getKey(
-        ) ?>"><?php echo $this->executable->getName() ?></a>
+        <a href="<?php echo $this->webroot ?>/item/<?php echo $this->escape($this->executable->getKey(
+        )); ?>"><?php echo $this->escape($this->executable->getName()); ?></a>
     </h4>
 <?php
 }
 if ($this->log != false) {
     ?>
     <a id="showLogLink">Toggle raw xml results</a><br/>
-    <pre id="hiddenLog"><?php echo htmlentities($this->log) ?></pre>
+    <pre id="hiddenLog"><?php echo $this->escape($this->log) ?></pre>
 
     <h4>Results and Metrics grid:</h4>
     <table id="tableXml">
@@ -109,29 +109,29 @@ if ($this->log != false) {
             foreach ($this->results['params']['parametersList'] as $key => $parameter) {
                 if (isset($result['parameters'][$key]) && isset($this->inputs[trim($result['parameters'][$key])])
                 ) {
-                    echo "<td><a href='".$this->webroot."/item/".$this->inputs[trim(
+                    echo "<td><a href='".$this->webroot."/item/".$this->escape($this->inputs[trim(
                             $result['parameters'][$key]
-                        )]->getKey()."' elementItem='".$this->inputs[trim($result['parameters'][$key])]->getKey(
-                        )."'>".$this->slicename(
-                            $result['parameters'][$key],
+                        )]->getKey())."' elementItem='".$this->escape($this->inputs[trim($result['parameters'][$key])]->getKey(
+                        ))."'>".$this->slicename(
+                            $this->escape($result['parameters'][$key]),
                             15
                         )."</a></td>";
                 } else {
                     if (isset($result['parameters'][$key])) {
-                        echo "<td>".$this->slicename($result['parameters'][$key], 15)."</td>";
+                        echo "<td>".$this->slicename($this->escape($result['parameters'][$key]), 15)."</td>";
                     } else {
                         echo "<td></td>";
                     }
                 }
             }
-            echo "<td class='xmlStatus'>".$result['status']."</td>";
+            echo "<td class='xmlStatus'>".$this->escape($result['status'])."</td>";
             echo "<td>".str_replace(' seconds', 's', $this->duration($result['time']))."</td>";
-            echo "<td class='showInDialog' output='".htmlentities($result['stdout'])."'><a>".$this->slicename(
-                    htmlentities($result['stdout']),
+            echo "<td class='showInDialog' output='".$this->escape($result['stdout'])."'><a>".$this->slicename(
+                    $this->escape($result['stdout']),
                     15
                 )."</a></td>";
-            echo "<td class='showInDialog' output='".htmlentities($result['stderr'])."'><a>".$this->slicename(
-                    htmlentities($result['stderr']),
+            echo "<td class='showInDialog' output='".$this->escape($result['stderr'])."'><a>".$this->slicename(
+                    $this->escape($result['stderr']),
                     15
                 )."</a></td>";
 
@@ -169,7 +169,7 @@ if ($this->job->getStatus() == MIDAS_REMOTEPROCESSING_STATUS_DONE && !empty($thi
             echo "<th><b>Thumbnail</b></th>";
 
             foreach ($this->parameters as $parameter) {
-                echo "<th><b>".ucfirst($parameter)."</b></th>";
+                echo "<th><b>".ucfirst($this->escape($parameter))."</b></th>";
             }
             ?>
         </tr>
@@ -179,26 +179,26 @@ if ($this->job->getStatus() == MIDAS_REMOTEPROCESSING_STATUS_DONE && !empty($thi
         foreach ($this->outputs as $output) {
             echo "<tr>";
             $metadata = $output->metadataParameters;
-            echo "<td><a href='".$this->webroot."/item/".$output->getKey()."' elementItem='".$output->getKey(
-                )."'>".$output->getName()."</a></td>";
+            echo "<td><a href='".$this->webroot."/item/".$this->escape($output->getKey())."' elementItem='".$this->escape($output->getKey(
+                ))."'>".$this->escape($output->getName())."</a></td>";
             $path = $output->getThumbnail();
             echo "<td>";
             if (!empty($path) && file_exists(BASE_PATH.'/'.$path)) {
                 echo "
-            <img class='infoLogo' alt='' src='{$this->webroot}/{$path}'/>
+            <img class='infoLogo' alt='' src='{$this->webroot}/{$this->escape($path)}'/>
             ";
             }
             echo "</td>";
             foreach ($this->parameters as $parameter) {
                 if (isset($metadata[$parameter]) && isset($this->inputs[trim($metadata[$parameter])])
                 ) {
-                    echo "<td><a href='".$this->webroot."/item/".$this->inputs[trim(
+                    echo "<td><a href='".$this->webroot."/item/".$this->escape($this->inputs[trim(
                             $metadata[$parameter]
-                        )]->getKey()."' elementItem='".$this->inputs[trim($metadata[$parameter])]->getKey(
-                        )."'>".$metadata[$parameter]."</a></td>";
+                        )]->getKey())."' elementItem='".$this->escape($this->inputs[trim($metadata[$parameter])]->getKey(
+                        ))."'>".$this->escape($metadata[$parameter])."</a></td>";
                 } else {
                     if (isset($metadata[$parameter])) {
-                        echo "<td>".$metadata[$parameter]."</td>";
+                        echo "<td>".$this->escape($metadata[$parameter])."</td>";
                     } else {
                         echo "<td></td>";
                     }
@@ -216,13 +216,12 @@ if ($this->job->getStatus() == MIDAS_REMOTEPROCESSING_STATUS_DONE && !empty($thi
         $itemsList .= $ouput->getKey().'-';
     }
     echo '<div class="genericBigButton ">';
-    echo "<a  href='{$this->webroot}/download?items={$itemsList}'><img style='float:left;margin-right:2px;' alt='' src='{$this->coreWebroot}/public/images/icons/download.png'/>";
+    echo "<a  href='{$this->webroot}/download?items={$this->escape($itemsList)}'><img style='float:left;margin-right:2px;' alt='' src='{$this->coreWebroot}/public/images/icons/download.png'/>";
     echo $this->t('Download Results');
     echo "</a>";
     echo '</div>';
     ?>
 <?php
 }
 ?>
-
 </div>

Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,4 @@ public function selectactionAction()`
`26`	`26`	`{`
`27`	`27`	`$this->disableLayout();`
`28`	`28`	`}`
`29`		`-`
`30`		`- /** dashboard */`
`31`		`- public function dashboardAction()`
`32`		`- {`
`33`		`- }`
`34`	`29`	`}`