Escape variables in api module

Jamie Snape · Jamie Snape · commit 7bfe67a8227e · 2014-12-08T09:19:59.000-05:00
diff --git a/modules/api/views/index/index.phtml b/modules/api/views/index/index.phtml
@@ -26,11 +26,11 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/index/index.ind
     <h2>Deprecated JSON RPC API</h2>
     <div>
         <img style="position: relative; top: 3px;" src="<?php echo $this->coreWebroot ?>/public/images/icons/warning.png"> This API is
-        <b>deprecated</b>. Instead use the <a href="<?php echo $this->serverURL.$this->webroot ?>/rest">RESTful API</a>.
+        <b>deprecated</b>. Instead use the <a href="<?php echo $this->escape($this->serverURL.$this->webroot); ?>/rest">RESTful API</a>.
     </div>
     <br />
     <p>This API will send you a JSON RPC response at the following URL:</p>
-    <p><b><?php echo $this->serverURL.$this->webroot ?>/api/json?method=METHOD_NAME</b></p>
+    <p><b><?php echo $this->escape($this->serverURL.$this->webroot); ?>/api/json?method=METHOD_NAME</b></p>
     <p>To authenticate requests you can provide a parameter named <b>token</b> with an
     authentication token value obtained by calling <b>midas.login</b>.</p>
     <br />
@@ -39,26 +39,26 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/index/index.ind
         <ul class="listmethods">
             <?php
             foreach ($this->data['api.listmethods'] as $methodname) {
-                echo "<li class='methodListElement'>".$methodname." <a class='showHideHelp'>?</a></li>";
+                echo "<li class='methodListElement'>".$this->escape($methodname)." <a class='showHideHelp'>?</a></li>";
                 if (isset($this->help[$methodname])) {
                     echo "<div class='helpContent'>";
-                    echo $this->help[$methodname]['description'].'<br/>';
+                    echo $this->escape($this->help[$methodname]['description']).'<br/>';
                     if (!empty($this->help[$methodname]['params'])) {
                         echo '<b>Parameters</b>';
                         foreach ($this->help[$methodname]['params'] as $key => $value) {
                             echo '<ul>';
-                            echo "<li><b>{$key}</b> - {$value}</li>";
+                            echo "<li><b>{$this->escape($key)}</b> - {$this->escape($value)}</li>";
                             echo '</ul>';
                         }
                     }
                     if (!empty($this->help[$methodname]['return'])) {
-                        echo '<b>Return</b> - '.$this->help[$methodname]['return'];
+                        echo '<b>Return</b> - '.$this->escape($this->help[$methodname]['return']);
                     }
                     if (!empty($this->help[$methodname]['example'])) {
                         echo '<br/><b>Examples</b>';
                         foreach ($this->help[$methodname]['example'] as $key => $value) {
                             echo '<ul>';
-                            echo "<li><b>{$value}</b> - {$key}</li>";
+                            echo "<li><b>{$this->escape($value)}</b> - {$this->escape($key)}</li>";
                             echo '</ul>';
                         }
                     }
