Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit cc887f4

Browse files
author
Jamie Snape
committed
Escape variables in sizequota module
1 parent 77eff8d commit cc887f4

File tree

3 files changed

+14
-15
lines changed

3 files changed

+14
-15
lines changed

modules/sizequota/Notification.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,7 @@ public function getExtraHtmlSimple($args)
108108
$free = number_format($free, 0, '.', '');
109109
$hFree = UtilityComponent::formatSize($free);
110110

111-
return '<div id="sizequotaFreeSpace" style="display:none;">'.$free.'</div>'.'<div id="sizequotaHFreeSpace" style="display:none;">'.$hFree.'</div>';
111+
return '<div id="sizequotaFreeSpace" style="display:none;">'.htmlspecialchars($free, ENT_QUOTES, 'UTF-8').'</div>'.'<div id="sizequotaHFreeSpace" style="display:none;">'.htmlspecialchars($hFree, ENT_QUOTES, 'UTF-8').'</div>';
112112
}
113113

114114
/**
@@ -143,7 +143,7 @@ public function getExtraHtmlRevision($args)
143143
$free = number_format($free, 0, '.', '');
144144
$hFree = UtilityComponent::formatSize($free);
145145

146-
return '<div id="sizequotaFreeSpace" style="display:none;">'.$free.'</div>'.'<div id="sizequotaHFreeSpace" style="display:none;">'.$hFree.'</div>';
146+
return '<div id="sizequotaFreeSpace" style="display:none;">'.htmlspecialchars($free, ENT_QUOTES, 'UTF-8').'</div>'.'<div id="sizequotaHFreeSpace" style="display:none;">'.htmlspecialchars($hFree, ENT_QUOTES, 'UTF-8').'</div>';
147147
}
148148
}
149149

modules/sizequota/views/config/folder.phtml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -30,13 +30,13 @@ echo '<script type="text/javascript" src="'.$this->moduleWebroot.'/public/js/con
3030

3131
</div>
3232
<span><?php echo $this->t('Current used space:'); ?>
33-
<span id='hUsedSpaceValue'><?php echo $this->hUsedSpace; ?></span></span>
33+
<span id='hUsedSpaceValue'><?php echo $this->escape($this->hUsedSpace); ?></span></span>
3434
<br/>
3535
<span><?php echo $this->t('Total space:'); ?>
36-
<span id='hQuotaValue'><?php echo $this->hQuota; ?></span></span>
37-
<span style="display: none;" id="hFreeSpaceValue"><?php echo $this->hFreeSpace; ?></span>
38-
<span style="display: none;" id="quotaValue"><?php echo $this->quota; ?></span>
39-
<span style="display: none;" id="usedSpaceValue"><?php echo $this->usedSpace; ?></span>
36+
<span id='hQuotaValue'><?php echo $this->escape($this->hQuota); ?></span></span>
37+
<span style="display: none;" id="hFreeSpaceValue"><?php echo $this->escape($this->hFreeSpace); ?></span>
38+
<span style="display: none;" id="quotaValue"><?php echo $this->escape($this->quota); ?></span>
39+
<span style="display: none;" id="usedSpaceValue"><?php echo $this->escape($this->usedSpace); ?></span>
4040
<div id='quotaChart' style="height: 200px; width: 400px; display: none;"></div>
4141
<br/>
4242
<?php
@@ -55,19 +55,19 @@ if ($this->isAdmin) {
5555
$value = 1;
5656
foreach (array('KB', 'MB', 'GB', 'TB') as $unit) {
5757
$value *= 1024;
58-
echo '<option value="'.$value.'"';
58+
echo '<option value="'.$this->escape($value).'"';
5959
if ($this->unitFormValue == $unit) {
6060
echo ' selected="selected"';
6161
}
62-
echo '>'.$unit.'</option>';
62+
echo '>'.$this->escape($unit).'</option>';
6363
}
6464
?>
6565
</select>
6666

6767
<div>
6868
<?php echo $this->configForm['submitQuota']; ?>
6969
</div>
70-
<input type="hidden" name="folderId" value="<?php echo $this->folder->getKey(); ?>"/>
70+
<input type="hidden" name="folderId" value="<?php echo $this->escape($this->folder->getKey()); ?>"/>
7171
</form>
7272
<?php
7373
} ?>

modules/sizequota/views/config/index.phtml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,11 +48,11 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/config/config.i
4848
$value = 1;
4949
foreach (array('KB', 'MB', 'GB', 'TB') as $unit) {
5050
$value *= 1024;
51-
echo '<option value="'.$value.'"';
51+
echo '<option value="'.$this->escape($value).'"';
5252
if ($this->unitValueUser == $unit) {
5353
echo ' selected="selected"';
5454
}
55-
echo '>'.$unit.'</option>';
55+
echo '>'.$this->escape($unit).'</option>';
5656
}
5757
echo "
5858
</select>
@@ -64,11 +64,11 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/config/config.i
6464
$value = 1;
6565
foreach (array('KB', 'MB', 'GB', 'TB') as $unit) {
6666
$value *= 1024;
67-
echo '<option value="'.$value.'"';
67+
echo '<option value="'.$this->escape($value).'"';
6868
if ($this->unitValueCommunity == $unit) {
6969
echo ' selected="selected"';
7070
}
71-
echo '>'.$unit.'</option>';
71+
echo '>'.$this->escape($unit).'</option>';
7272
}
7373
echo "
7474
</select>
@@ -78,5 +78,4 @@ $this->headScript()->appendFile($this->moduleWebroot.'/public/js/config/config.i
7878
</div>
7979
</form>";
8080
?>
81-
8281
</div>

0 commit comments

Comments
 (0)