Escape variables in visualize module

Jamie Snape · Jamie Snape · commit ae6ea89dd18f · 2014-12-08T09:20:05.000-05:00
diff --git a/modules/visualize/Notification.php b/modules/visualize/Notification.php
@@ -40,19 +40,19 @@ public function getItemViewLink($params)
         if ($this->ModuleComponent->Main->canVisualizeWithSliceView($item)) {
             $webroot = Zend_Controller_Front::getInstance()->getBaseUrl();
             $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/slice?itemId=';
-            $html .= $item->getKey().'"><img alt="" src="'.$webroot.'/modules/';
+            $html .= htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'"><img alt="" src="'.$webroot.'/modules/';
             $html .= $this->moduleName.'/public/images/sliceView.png" /> Slice Visualization</a></li>';
 
             $html .= '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/volume?itemId=';
-            $html .= $item->getKey().'"><img alt="" src="'.$webroot.'/modules/';
+            $html .= htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'"><img alt="" src="'.$webroot.'/modules/';
             $html .= $this->moduleName.'/public/images/volume.png" /> Volume Visualization</a></li>';
 
             return $html;
         } elseif ($this->ModuleComponent->Main->canVisualizeWithSurfaceView($item)
         ) {
             $webroot = Zend_Controller_Front::getInstance()->getBaseUrl();
             $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/surface?itemId=';
-            $html .= $item->getKey().'"><img alt="" src="'.$webroot.'/modules/';
+            $html .= htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'"><img alt="" src="'.$webroot.'/modules/';
             $html .= $this->moduleName.'/public/images/pqUnstructuredGrid16.png" /> Surface Visualization</a></li>';
 
             return $html;
diff --git a/modules/visualize/views/image/index.phtml b/modules/visualize/views/image/index.phtml
@@ -43,6 +43,6 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/jquery/iviewer/
     <div class="wrapper">
         <div id="viewer" class="viewer"></div>
     </div>
-    <div id='urlImage' style="display:none;"><?php echo $this->imageUrl ?></div>
+    <div id='urlImage' style="display:none;"><?php echo $this->escape($this->imageUrl); ?></div>
 <?php
 echo $this->headScript();
diff --git a/modules/visualize/views/wrapper/index.phtml b/modules/visualize/views/wrapper/index.phtml
@@ -42,9 +42,9 @@ $this->headScript()->appendFile($this->webroot.'/modules/visualize/public/js/wra
                 <?php
                 foreach ($this->sameLocation as $item) {
                     echo "<li>";
-                    echo "<a class='linkedcontentLink' preview='{$item->preview}' element='{$item->getKey(
-                        )}' href='{$this->webroot}/item/{$item->getKey()}'>".$this->slicename(
-                            $item->getName(),
+                    echo "<a class='linkedcontentLink' preview='{$item->preview}' element='{$this->escape($item->getKey(
+                        ))}' href='{$this->webroot}/item/{$this->escape($item->getKey())}'>".$this->slicename(
+                            $this->escape($item->getName()),
                             45
                         )."</a>";
                     echo "</li>";
