Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit b1f67b9

Browse files
author
Jamie Snape
committed
Escape variables in layouts
1 parent 3d4bdf9 commit b1f67b9

File tree

4 files changed

+35
-42
lines changed

4 files changed

+35
-42
lines changed

core/layouts/empty.phtml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,14 @@
2020

2121
echo $this->doctype().PHP_EOL;
2222
?>
23-
<html lang="<?php echo $this->lang; ?>" xml:lang="<?php echo $this->lang; ?>" xmlns="http://www.w3.org/1999/xhtml">
23+
<html lang="<?php echo $this->escape($this->lang); ?>" xml:lang="<?php echo $this->escape($this->lang); ?>" xmlns="http://www.w3.org/1999/xhtml">
2424
<head>
2525
<?php
2626
$this->headMeta()->appendHttpEquiv('Content-Type', 'text/html; charset=UTF-8');
27-
$this->headMeta()->appendName('description', htmlspecialchars($this->metaDescription, ENT_QUOTES, 'UTF-8'));
27+
$this->headMeta()->appendName('description', $this->escape($this->metaDescription));
2828
echo $this->headMeta().PHP_EOL;
2929

30-
$this->headTitle(htmlspecialchars($this->title, ENT_QUOTES, 'UTF-8'));
30+
$this->headTitle($this->escape($this->title));
3131
$this->headTitle()->setSeparator(' - ');
3232
echo $this->headTitle().PHP_EOL;
3333

@@ -77,7 +77,7 @@ echo $this->doctype().PHP_EOL;
7777
<input type="hidden" class="webroot" value="<?php $this->baseUrl(); ?>"/>
7878

7979
<div style="display: none;" class="jsonContent">
80-
<?php echo $this->json.PHP_EOL; ?>
80+
<?php echo $this->escape($this->json).PHP_EOL; ?>
8181
</div>
8282
</body>
8383
<?php

core/layouts/layout.phtml

Lines changed: 17 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,14 @@
2020

2121
echo $this->doctype().PHP_EOL;
2222
?>
23-
<html lang="<?php echo $this->lang; ?>" xml:lang="<?php echo $this->lang; ?>" xmlns="http://www.w3.org/1999/xhtml">
23+
<html lang="<?php echo $this->escape($this->lang); ?>" xml:lang="<?php echo $this->escape($this->lang); ?>" xmlns="http://www.w3.org/1999/xhtml">
2424
<head>
2525
<?php
2626
$this->headMeta()->appendHttpEquiv('Content-Type', 'text/html; charset=UTF-8');
27-
$this->headMeta()->appendName('description', htmlspecialchars($this->metaDescription, ENT_QUOTES, 'UTF-8'));
27+
$this->headMeta()->appendName('description', $this->escape($this->metaDescription));
2828
echo $this->headMeta().PHP_EOL;
2929

30-
$this->headTitle(htmlspecialchars($this->title, ENT_QUOTES, 'UTF-8'));
30+
$this->headTitle($this->escape($this->title));
3131
$this->headTitle()->setSeparator(' - ');
3232
echo $this->headTitle().PHP_EOL;
3333

@@ -113,17 +113,17 @@ echo $this->doctype().PHP_EOL;
113113
<?php
114114
if ($this->logged && isset($this->userDao)) {
115115
echo '
116-
<b><a id="topUserName" href="'.$this->webroot.'/user/'.$this->userDao->getUserId(
117-
).'">'.$this->userDao->getFullName().' <img class="arrowUser" src="'.$this->baseUrl(
116+
<b><a id="topUserName" href="'.$this->webroot.'/user/'.$this->escape($this->userDao->getUserId(
117+
)).'">'.$this->escape($this->userDao->getFullName()).' <img class="arrowUser" src="'.$this->baseUrl(
118118
'core/public/images/icons/arrow-user.gif'
119119
).'" alt ="" /> </a> </b>
120120
<ul>
121121
<li onclick="window.location = \''.$this->webroot.'/user/userpage\';"><a>'.$this->t(
122122
'My Page'
123123
).'</a></li>
124124
<li class="myAccountLink"><a href="'.$this->baseUrl(
125-
'user/settings?userId='.$this->userDao->getKey()
126-
).'">'.$this->t('My Account').'</a></li>
125+
'user/settings?userId='.$this->escape($this->userDao->getKey()
126+
)).'">'.$this->t('My Account').'</a></li>
127127
';
128128
if ($this->userDao->isAdmin()) {
129129
echo '
@@ -140,7 +140,7 @@ echo $this->doctype().PHP_EOL;
140140
foreach ($linksModules as $links) {
141141
foreach ($links as $name => $link) {
142142
echo '
143-
<li onclick="window.location = \''.$link.'\';"><a>'.$name.'</a></li>';
143+
<li onclick="window.location = \''.$this->escape($link).'\';"><a>'.$this->escape($name).'</a></li>';
144144
}
145145
}
146146
}
@@ -225,7 +225,7 @@ echo $this->doctype().PHP_EOL;
225225
<ul>
226226
<li class="uploadFile" title="Upload"
227227
rel="<?php echo $this->baseUrl('upload/simpleupload'); ?><?php if (isset($this->mainFolder)) {
228-
echo '/?parent='.$this->mainFolder->folder_id;
228+
echo '/?parent='.$this->escape($this->mainFolder->folder_id);
229229
} ?>">
230230
<a href="#"><img id="uploadAFile"
231231
src="<?php echo $this->baseUrl('core/public/images/icons/addfile.png'); ?>"
@@ -302,13 +302,8 @@ echo $this->doctype().PHP_EOL;
302302
$link = $array[0];
303303
$image = $array[1];
304304
?>
305-
<li onclick="window.location = '<?php echo $link; ?>';">
306-
<a href="<?php echo $link; ?>"><img alt=""
307-
src="<?php echo $image; ?>"/><span> <?php echo htmlspecialchars(
308-
$name,
309-
ENT_QUOTES,
310-
'UTF-8'
311-
); ?></span></a></li>
305+
<li onclick="window.location = '<?php echo $this->escape($link); ?>';">
306+
<a href="<?php echo $this->escape($link); ?>"><img alt="" src="<?php echo $this->escape($image); ?>"/><span> <?php echo $this->escape($name); ?></span></a></li>
312307
<?php
313308
}
314309
}
@@ -323,12 +318,12 @@ echo $this->doctype().PHP_EOL;
323318
echo '<ul>';
324319
foreach ($recentReverse as $item) {
325320
if (is_array($item)) {
326-
echo "<li onclick=\"window.location = '{$this->webroot}/item/{$item['item_id']}';\" class='recentItem' qtip='".str_replace(
321+
echo "<li onclick=\"window.location = '{$this->webroot}/item/{$this->escape($item['item_id'])}';\" class='recentItem' qtip='".str_replace(
327322
"'",
328323
'"',
329-
$item['name']
330-
)."'><a href='{$this->webroot}/item/{$item['item_id']}'>".$this->slicename(
331-
$item['name'],
324+
$this->escape($item['name'])
325+
)."'><a href='{$this->webroot}/item/{$this->escape($item['item_id'])}'>".$this->slicename(
326+
$this->escape($item['name']),
332327
20
333328
)."</a></li>";
334329
}
@@ -362,11 +357,7 @@ echo $this->doctype().PHP_EOL;
362357
?>
363358
</div>
364359
<div class="Footer">
365-
<a href="http://www.midasplatform.org/">Midas Platform</a> <?php echo htmlspecialchars(
366-
$this->version,
367-
ENT_QUOTES,
368-
'UTF-8'
369-
); ?> - &copy; <?php echo date('Y'); ?>
360+
<a href="http://www.midasplatform.org/">Midas Platform</a> <?php echo $this->escape($this->version); ?> - &copy; <?php echo date('Y'); ?>
370361
<a href="http://www.kitware.com">Kitware</a> -
371362
<a href="https://github.com/midasplatform/Midas/issues"><?php echo $this->t('Report bug'); ?></a>
372363
</div>
@@ -377,7 +368,7 @@ echo $this->doctype().PHP_EOL;
377368
<input type="hidden" class="webroot" value="<?php echo $this->baseUrl(); ?>"/>
378369

379370
<div style="display: none;" class="jsonContent">
380-
<?php echo $this->json.PHP_EOL; ?>
371+
<?php echo $this->escape($this->json).PHP_EOL; ?>
381372
</div>
382373
<div id="dialogStartingGuide" style="display:none;" title="<?php echo $this->t('Starting Guide'); ?>">
383374
<br/>

core/public/js/common/common.browser.js

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -546,6 +546,11 @@ midas.createAction = function (node) {
546546
$('div.viewAction ul').show();
547547
};
548548

549+
midas.escape = function (text) {
550+
'use strict';
551+
return $('<div/>').text(text).html()
552+
};
553+
549554
midas.createInfo = function (jsonContent) {
550555
'use strict';
551556
var arrayElement = $.parseJSON(jsonContent);
@@ -560,7 +565,7 @@ midas.createInfo = function (jsonContent) {
560565
html += '<img class="infoLogo" alt="Data Type" src="' + json.global.coreWebroot + '/public/images/icons/document-big.png" />';
561566
}
562567

563-
html += '<span class="infoTitle" >' + arrayElement['name'] + '</span>';
568+
html += '<span class="infoTitle" >' + midas.escape(arrayElement['name']) + '</span>';
564569
html += '<table>';
565570
html += ' <tr>';
566571
html += ' <td>' + arrayElement.translation.Created + '</td>';
@@ -570,7 +575,7 @@ midas.createInfo = function (jsonContent) {
570575
html += ' <tr>';
571576
html += ' <td>Members';
572577
html += '</td>';
573-
html += ' <td>' + arrayElement['members'] + '</td>';
578+
html += ' <td>' + midas.escape(arrayElement['members']) + '</td>';
574579
html += ' </tr>';
575580
}
576581
if (arrayElement['type'] == 'item') {
@@ -583,31 +588,31 @@ midas.createInfo = function (jsonContent) {
583588
else {
584589
html += ' <tr>';
585590
html += ' <td>' + arrayElement.translation.Uploaded + '</td>';
586-
html += ' <td><a href="' + json.global.webroot + '/user/' + arrayElement['uploaded']['user_id'] + '">' + arrayElement['uploaded']['firstname'] + ' ' + arrayElement['uploaded']['lastname'] + '</a></td>';
591+
html += ' <td><a href="' + json.global.webroot + '/user/' + midas.escape(arrayElement['uploaded']['user_id']) + '">' + midas.escape(arrayElement['uploaded']['firstname']) + ' ' + midas.escape(arrayElement['uploaded']['lastname']) + '</a></td>';
587592
html += ' </tr>';
588593
html += ' <tr>';
589594
html += ' <td>Revisions</td>';
590-
html += ' <td>' + arrayElement['revision']['revision'] + '</td>';
595+
html += ' <td>' + midas.escape(arrayElement['revision']['revision']) + '</td>';
591596
html += ' </tr>';
592597
html += ' <tr>';
593598
html += ' <td>Files</td>';
594-
html += ' <td>' + arrayElement['nbitstream'] + '</td>';
599+
html += ' <td>' + midas.escape(arrayElement['nbitstream']) + '</td>';
595600
html += ' </tr>';
596601
html += ' </tr>';
597602
html += ' <td>Size</td>';
598-
html += ' <td>' + arrayElement['size'] + '</td>';
603+
html += ' <td>' + midas.escape(arrayElement['size']) + '</td>';
599604
html += ' </tr>';
600605
}
601606
}
602607

603608
if (arrayElement['type'] == 'folder') {
604609
html += ' <tr>';
605610
html += ' <td>Last Updated</td>';
606-
html += ' <td>' + arrayElement['updated'] + '</td>';
611+
html += ' <td>' + midas.escape(arrayElement['updated']) + '</td>';
607612
html += ' </tr>';
608613
html += ' <tr>';
609614
html += ' <td>Size</td>';
610-
html += ' <td>' + arrayElement['size'] + '</td>';
615+
html += ' <td>' + midas.escape(arrayElement['size']) + '</td>';
611616
html += ' </tr>';
612617
}
613618
html += '</table>';
@@ -616,7 +621,7 @@ midas.createInfo = function (jsonContent) {
616621
}
617622

618623
if (arrayElement['thumbnail_id'] !== undefined && arrayElement['thumbnail_id'] != '') {
619-
html += '<h1>' + json.browse.preview + '</h1><a href="' + json.global.webroot + '/item/' + arrayElement['item_id'] + '"><img class="infoLogo" alt="" src="' + json.global.webroot + '/item/thumbnail?itemId=' + arrayElement['item_id'] + '" /></a>';
624+
html += '<h1>' + json.browse.preview + '</h1><a href="' + json.global.webroot + '/item/' + midas.escape(arrayElement['item_id']) + '"><img class="infoLogo" alt="" src="' + json.global.webroot + '/item/thumbnail?itemId=' + midas.escape(arrayElement['item_id']) + '" /></a>';
620625
}
621626

622627
$('div.ajaxInfoElement').html(html);

core/public/js/common/common.license.js

Lines changed: 0 additions & 3 deletions
This file was deleted.

0 commit comments

Comments
 (0)