Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit b3d8f0a

Browse files
author
Jamie Snape
committed
Escape variables in tracker module
1 parent 8e31ca7 commit b3d8f0a

File tree

6 files changed

+58
-58
lines changed

6 files changed

+58
-58
lines changed

modules/tracker/views/producer/list.phtml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
<link type="text/css" rel="stylesheet" href="<?php echo $this->moduleWebroot ?>/public/css/producer/producer.list.css"/>
2323

2424
<div class="producersTabWrapper">
25-
<div class="introText">The <?php echo $this->community->getName(); ?> community contains the following producers:
25+
<div class="introText">The <?php echo $this->escape($this->community->getName()); ?> community contains the following producers:
2626
</div>
2727

2828
<div class="producerList">
@@ -33,11 +33,11 @@
3333

3434
foreach ($this->producers as $producer) {
3535
echo '<div class="producerContainer">';
36-
echo '<a class="producerLink" href="'.$this->webroot.'/tracker/producer/view?producerId='.$producer->getKey(
37-
).'">';
36+
echo '<a class="producerLink" href="'.$this->webroot.'/tracker/producer/view?producerId='.$this->escape($producer->getKey(
37+
)).'">';
3838
echo $producer->getDisplayName().'</a>';
3939
if ($producer->getDescription() != '') {
40-
echo '<div class="producerDescription">'.$producer->getDescription().'</div>';
40+
echo '<div class="producerDescription">'.$this->escape($producer->getDescription()).'</div>';
4141
}
4242
echo '</div>';
4343
}

modules/tracker/views/producer/view.phtml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,13 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/producer/produc
2727
<div class="producerInfoContainer">
2828
<div class="sectionTitle">Producer Information</div>
2929
<div class="producerData"><b>Description:</b>
30-
<span class="description"><?php echo $this->producer->getDescription(); ?></span>
30+
<span class="description"><?php echo $this->escape($this->producer->getDescription()); ?></span>
3131
</div>
3232
<div class="producerData"><b>Repository:</b>
33-
<span class="repository"><?php echo $this->producer->getRepository(); ?></span>
33+
<span class="repository"><?php echo $this->escape($this->producer->getRepository()); ?></span>
3434
</div>
3535
<div class="producerData"><b>Executable:</b>
36-
<span class="executable"><?php echo $this->producer->getExecutableName(); ?></span>
36+
<span class="executable"><?php echo $this->escape($this->producer->getExecutableName()); ?></span>
3737
</div>
3838
</div>
3939

@@ -45,20 +45,20 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/producer/produc
4545
echo '<div class="trendGroupContainer">';
4646
if ($trendGroup['configItem']) {
4747
echo '<div class="datasetHeader"><b>Configuration:</b> ';
48-
echo '<a href='.$this->webroot.'/item/'.$trendGroup['configItem']->getKey(
49-
).'>'.$trendGroup['configItem']->getName().'</a>';
48+
echo '<a href='.$this->webroot.'/item/'.$this->escape($trendGroup['configItem']->getKey(
49+
)).'>'.$this->escape($trendGroup['configItem']->getName()).'</a>';
5050
echo '</div>';
5151
}
5252
if ($trendGroup['testDataset']) {
5353
echo '<div class="datasetHeader"><b>Test Data:</b> ';
54-
echo '<a href='.$this->webroot.'/item/'.$trendGroup['testDataset']->getKey(
55-
).'>'.$trendGroup['testDataset']->getName().'</a>';
54+
echo '<a href='.$this->webroot.'/item/'.$this->escape($trendGroup['testDataset']->getKey(
55+
)).'>'.$this->escape($trendGroup['testDataset']->getName()).'</a>';
5656
echo '</div>';
5757
}
5858
if ($trendGroup['truthDataset']) {
5959
echo '<div class="datasetHeader"><b>Ground Truth Data: </b>';
60-
echo '<a href='.$this->webroot.'/item/'.$trendGroup['truthDataset']->getKey(
61-
).'>'.$trendGroup['truthDataset']->getName().'</a>';
60+
echo '<a href='.$this->webroot.'/item/'.$this->escape($trendGroup['truthDataset']->getKey(
61+
)).'>'.$this->escape($trendGroup['truthDataset']->getName()).'</a>';
6262
echo '</div>';
6363
}
6464
if ($trendGroup['configItem'] || $trendGroup['testDataset'] || $trendGroup['truthDataset']) {
@@ -69,9 +69,9 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/producer/produc
6969
<?php
7070
foreach ($trendGroup['trends'] as $trend) {
7171
echo '<div class="trendContainer">';
72-
echo '<input type="checkbox" class="selectTrend" element="'.$trend->getKey().'" />';
73-
echo '<a class="trendLink" href="'.$this->webroot.'/tracker/trend/view?trendId='.$trend->getKey().'">';
74-
echo $trend->getDisplayName().'</a>';
72+
echo '<input type="checkbox" class="selectTrend" element="'.$this->escape($trend->getKey()).'" />';
73+
echo '<a class="trendLink" href="'.$this->webroot.'/tracker/trend/view?trendId='.$this->escape($trend->getKey()).'">';
74+
echo $this->escape($trend->getDisplayName()).'</a>';
7575
echo '</div>';
7676
}
7777
?>

modules/tracker/views/scalar/details.phtml

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -21,31 +21,31 @@
2121
<script type="text/javascript" src="<?php echo $this->moduleWebroot ?>/public/js/scalar/scalar.details.js"></script>
2222
<link type="text/css" rel="stylesheet" href="<?php echo $this->moduleWebroot ?>/public/css/scalar/scalar.details.css"/>
2323

24-
<input type="hidden" class="scalarId" value="<?php echo $this->scalar->getKey(); ?>"/>
24+
<input type="hidden" class="scalarId" value="<?php echo $this->escape($this->scalar->getKey()); ?>"/>
2525

2626
<div class="thisScalarInfo">
2727
<div class="sectionDivider"><span class="sectionTitle">Info</span></div>
2828
<table class="scalarInfoTable">
2929
<tbody>
3030
<tr>
3131
<th>Metric:</th>
32-
<td><span id="thisMetric"><?php echo $this->scalar->getTrend()->getMetricName(); ?></span>
32+
<td><span id="thisMetric"><?php echo $this->escape($this->scalar->getTrend()->getMetricName()); ?></span>
3333
</td>
3434
</tr>
3535
<tr>
3636
<th>Value:</th>
37-
<td><span id="thisValue"><?php echo $this->scalar->getValue().' '.$this->scalar->getTrend()->getUnit(
38-
); ?></span>
37+
<td><span id="thisValue"><?php echo $this->escape($this->scalar->getValue()).' '.$this->escape($this->scalar->getTrend()->getUnit(
38+
)); ?></span>
3939
</td>
4040
</tr>
4141
<tr>
4242
<th>Submitted:</th>
4343
<td>
44-
<span id="thisSubmitTime"><?php echo $this->scalar->getSubmitTime(); ?></span>
44+
<span id="thisSubmitTime"><?php echo $this->escape($this->scalar->getSubmitTime()); ?></span>
4545
<?php
4646
if ($this->submittedBy) {
47-
echo ' by <a href="'.$this->webroot.'/user/'.$this->submittedBy->getKey(
48-
).'">'.$this->submittedBy->getFullName().'</a> ';
47+
echo ' by <a href="'.$this->webroot.'/user/'.$this->escape($this->submittedBy->getKey(
48+
)).'">'.$this->escape($this->submittedBy->getFullName()).'</a> ';
4949
}
5050
if (!$this->scalar->getOfficial()) {
5151
echo '(unofficial)';
@@ -64,7 +64,7 @@
6464
?>
6565
<tr>
6666
<th>Branch:</th>
67-
<td><?php echo $this->scalar->getBranch(); ?></td>
67+
<td><?php echo $this->escape($this->scalar->getBranch()); ?></td>
6868
</tr>
6969
<?php
7070
}
@@ -74,15 +74,15 @@
7474
<th>Build Results:</th>
7575
<td>
7676
<a target="_blank"
77-
href="<?php echo $this->scalar->getBuildResultsUrl(); ?>">Click here</a>
77+
href="<?php echo $this->escape($this->scalar->getBuildResultsUrl()); ?>">Click here</a>
7878
</td>
7979
</tr>
8080
<?php
8181
}
8282
if ($this->extraUrls) {
8383
foreach ($this->extraUrls as $linkInfo) {
84-
echo '<tr><th>'.$linkInfo['label'].':</th><td>';
85-
echo '<a target="_blank" href="'.$linkInfo['href'].'">'.$linkInfo['text'].'</a>';
84+
echo '<tr><th>'.$this->escape($linkInfo['label']).':</th><td>';
85+
echo '<a target="_blank" href="'.$this->escape($linkInfo['href']).'">'.$this->escape($linkInfo['text']).'</a>';
8686
echo '</td></tr>';
8787
}
8888
}
@@ -108,7 +108,7 @@
108108
<table class="scalarInfoTable">
109109
<tbody>
110110
<?php foreach ($this->extraParams as $key => $value) {
111-
echo '<tr><th>'.$key.':</th><td>'.$value.'</td></tr>';
111+
echo '<tr><th>'.$this->escape($key).':</th><td>'.$this->escape($value).'</td></tr>';
112112
}
113113
?>
114114
</tbody>
@@ -123,7 +123,7 @@
123123
<tbody>
124124
<?php
125125
foreach ($this->otherValues as $metricName => $value) {
126-
echo '<tr><th>'.$metricName.':</th><td>'.$value.'</td></tr>';
126+
echo '<tr><th>'.$this->escape($metricName).':</th><td>'.$this->escape($value).'</td></tr>';
127127
}
128128
?>
129129
</tbody>
@@ -136,10 +136,10 @@
136136
<?php
137137
foreach ($this->resultItems as $result) {
138138
$item = $result['item'];
139-
echo '<div class="resultItemContainer"><span class="resultItemLabel">'.$result['label'].':</span> ';
140-
echo '<a element="'.$item->getKey().'" class="resultItemLink" href="'.$this->webroot.'/item/'.$item->getKey(
141-
).'" ';
142-
echo 'thumbnail="'.$item->getThumbnailId().'">'.$item->getName().'</a>';
139+
echo '<div class="resultItemContainer"><span class="resultItemLabel">'.$this->escape($result['label']).':</span> ';
140+
echo '<a element="'.$this->escape($item->getKey()).'" class="resultItemLink" href="'.$this->webroot.'/item/'.$this->escape($item->getKey(
141+
)).'" ';
142+
echo 'thumbnail="'.$this->escape($item->getThumbnailId()).'">'.$this->escape($item->getName()).'</a>';
143143
echo '</div>';
144144
}
145145
if (count($this->resultItems) === 0) {

modules/tracker/views/trend/edit.phtml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -32,26 +32,26 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jquery.for
3232
method="POST">
3333
<div class="formRow">
3434
<label for="metricName">Metric name</label>
35-
<input type="text" name="metricName" value="<?php echo $this->trend->getMetricName(); ?>"
35+
<input type="text" name="metricName" value="<?php echo $this->escape($this->trend->getMetricName()); ?>"
3636
qtip="The metric name that submission clients use to identify this trend"/>
3737
</div>
3838
<div class="formRow">
3939
<label for="displayName">Display name</label>
40-
<input type="text" name="displayName" value="<?php echo $this->trend->getDisplayName(); ?>"
40+
<input type="text" name="displayName" value="<?php echo $this->escape($this->trend->getDisplayName()); ?>"
4141
qtip="The title that is displayed in Midas for this trend"/>
4242
</div>
4343
<div class="formRow">
4444
<label for="unit">Unit</label>
45-
<input type="text" name="unit" value="<?php echo $this->trend->getUnit(); ?>"
45+
<input type="text" name="unit" value="<?php echo $this->escape($this->trend->getUnit()); ?>"
4646
qtip="The unit of measurement for this metric (optional)"/>
4747
</div>
4848
<div class="formRow">
4949
<label>Config Dataset</label>
5050
<span class="configDatasetContent">
5151
<?php
5252
if ($this->trend->getConfigItemId()) {
53-
echo '<a href="'.$this->webroot.'/item/'.$this->trend->getConfigItemId().'">'.$this->trend->getConfigItem(
54-
)->getName().'</a>';
53+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trend->getConfigItemId()).'">'.$this->escape($this->trend->getConfigItem(
54+
)->getName()).'</a>';
5555
} else {
5656
echo '<span class="noItem">none</span>';
5757
}
@@ -65,8 +65,8 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jquery.for
6565
<span class="testDatasetContent">
6666
<?php
6767
if ($this->trend->getTestDatasetId()) {
68-
echo '<a href="'.$this->webroot.'/item/'.$this->trend->getTestDatasetId(
69-
).'">'.$this->trend->getTestDatasetItem()->getName().'</a>';
68+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trend->getTestDatasetId(
69+
)).'">'.$this->escape($this->trend->getTestDatasetItem()->getName()).'</a>';
7070
} else {
7171
echo '<span class="noItem">none</span>';
7272
}
@@ -80,8 +80,8 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jquery.for
8080
<span class="truthDatasetContent">
8181
<?php
8282
if ($this->trend->getTruthDatasetId()) {
83-
echo '<a href="'.$this->webroot.'/item/'.$this->trend->getTruthDatasetId(
84-
).'">'.$this->trend->getTruthDatasetItem()->getName().'</a>';
83+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trend->getTruthDatasetId(
84+
)).'">'.$this->escape($this->trend->getTruthDatasetItem()->getName()).'</a>';
8585
} else {
8686
echo '<span class="noItem">none</span>';
8787
}
@@ -90,10 +90,10 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jquery.for
9090
<input type="button" class="removeItem" element="truth" value="Remove"/>
9191
<input type="button" class="selectItem" id="selectTruthDatasetItem" value="Choose"/>
9292
</div>
93-
<input type="hidden" name="configItemId" value="<?php echo $this->trend->getConfigItemId(); ?>"/>
94-
<input type="hidden" name="testItemId" value="<?php echo $this->trend->getTestDatasetId(); ?>"/>
95-
<input type="hidden" name="truthItemId" value="<?php echo $this->trend->getTruthDatasetId(); ?>"/>
96-
<input type="hidden" name="trendId" value="<?php echo $this->trend->getKey(); ?>"/>
93+
<input type="hidden" name="configItemId" value="<?php echo $this->escape($this->trend->getConfigItemId()); ?>"/>
94+
<input type="hidden" name="testItemId" value="<?php echo $this->escape($this->trend->getTestDatasetId()); ?>"/>
95+
<input type="hidden" name="truthItemId" value="<?php echo $this->escape($this->trend->getTruthDatasetId()); ?>"/>
96+
<input type="hidden" name="trendId" value="<?php echo $this->escape($this->trend->getKey()); ?>"/>
9797

9898
<div class="submitButtonContainer">
9999
<input type="submit" class="globalButton" value="Save"/>

modules/tracker/views/trend/notify.phtml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,25 +42,25 @@
4242
<input type="text" class="thresholdValue" name="value"
4343
<?php
4444
if ($this->setting) {
45-
echo ' value="'.$this->setting->getValue().'"';
45+
echo ' value="'.$this->escape($this->setting->getValue()).'"';
4646
}
4747
?>
4848
/>
4949
</div>
5050
<div class="registeredEmail">
51-
Registered email: <?php echo $this->userDao->getEmail(); ?>
51+
Registered email: <?php echo $this->escape($this->userDao->getEmail()); ?>
5252
</div>
5353
<div class="bottomButtons">
5454
<input type="submit" value="Save"/>
5555
</div>
56-
<input type="hidden" name="trendId" value="<?php echo $this->trend->getKey(); ?>"/>
56+
<input type="hidden" name="trendId" value="<?php echo $this->escape($this->trend->getKey()); ?>"/>
5757
</form>
5858

5959
<div style="display: none;" id="settingInfo">
6060
<?php
6161
if ($this->setting) {
62-
echo '{"id": "'.$this->setting->getKey().'", "value": '.$this->setting->getValue(
63-
).', "operator": "'.$this->setting->getComparison().'"}';
62+
echo '{"id": "'.$this->escape($this->setting->getKey()).'", "value": '.$this->escape($this->setting->getValue(
63+
)).', "operator": "'.$this->escape($this->setting->getComparison()).'"}';
6464
}
6565
?>
6666
</div>

modules/tracker/views/trend/view.phtml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,8 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jqplot/jqp
4444
Configuration data:
4545
<?php
4646
if ($this->trends[0]->getConfigItemId()) {
47-
echo '<a href="'.$this->webroot.'/item/'.$this->trends[0]->getConfigItemId(
48-
).'">'.$this->trends[0]->getConfigItem()->getName().'</a>';
47+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trends[0]->getConfigItemId(
48+
)).'">'.$this->escape($this->trends[0]->getConfigItem()->getName()).'</a>';
4949
} else {
5050
echo '<span class="itemLinkNone">none</span>';
5151
}
@@ -55,8 +55,8 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jqplot/jqp
5555
Test data:
5656
<?php
5757
if ($this->trends[0]->getTestDatasetId()) {
58-
echo '<a href="'.$this->webroot.'/item/'.$this->trends[0]->getTestDatasetId(
59-
).'">'.$this->trends[0]->getTestDatasetItem()->getName().'</a>';
58+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trends[0]->getTestDatasetId(
59+
)).'">'.$this->escape($this->trends[0]->getTestDatasetItem()->getName()).'</a>';
6060
} else {
6161
echo '<span class="itemLinkNone">none</span>';
6262
}
@@ -66,8 +66,8 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jqplot/jqp
6666
Ground truth data:
6767
<?php
6868
if ($this->trends[0]->getTruthDatasetId()) {
69-
echo '<a href="'.$this->webroot.'/item/'.$this->trends[0]->getTruthDatasetId(
70-
).'">'.$this->trends[0]->getTruthDatasetItem()->getName().'</a>';
69+
echo '<a href="'.$this->webroot.'/item/'.$this->escape($this->trends[0]->getTruthDatasetId(
70+
)).'">'.$this->escape($this->trends[0]->getTruthDatasetItem()->getName()).'</a>';
7171
} else {
7272
echo '<span class="itemLinkNone">none</span>';
7373
}
@@ -89,7 +89,7 @@ $this->headScript()->appendFile($this->coreWebroot.'/public/js/jquery/jqplot/jqp
8989
<select id="branchfilter" class="branchfilter">
9090
<option value="">[all branches]</option>
9191
<?php foreach ($this->allBranches as $branch) {
92-
echo '<option>'.$branch.'</option>';
92+
echo '<option>'.$this->escape($branch).'</option>';
9393
} ?>
9494
</select>
9595
<button class="add-branchfilter">Add branch trend</button>

0 commit comments

Comments
 (0)