Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: added missing conversion to HTML entities
  • Loading branch information
thorsten committed Dec 15, 2022
1 parent 863f6cd commit 1123c08
Show file tree
Hide file tree
Showing 15 changed files with 108 additions and 92 deletions.
4 changes: 2 additions & 2 deletions phpmyfaq/admin/category.main.php
Expand Up @@ -79,8 +79,8 @@
$categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
$categoryData = [
'lang' => $categoryLang,
'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
Expand Down
60 changes: 37 additions & 23 deletions phpmyfaq/admin/news.php
Expand Up @@ -7,21 +7,21 @@
* v. 2.0. If a copy of the MPL was not distributed with this file, You can
* obtain one at http://mozilla.org/MPL/2.0/.
*
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Matteo Scaramuccia <matteo@phpmyfaq.de>
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Matteo Scaramuccia <matteo@phpmyfaq.de>
* @copyright 2003-2022 phpMyFAQ Team
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2003-02-23
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2003-02-23
*/

use phpMyFAQ\Comments;
use phpMyFAQ\Date;
use phpMyFAQ\Entity\CommentType;
use phpMyFAQ\Filter;
use phpMyFAQ\Helper\LanguageHelper;
use phpMyFAQ\News;
use phpMyFAQ\News;use phpMyFAQ\Strings;

if (!defined('IS_VALID_PHPMYFAQ')) {
http_response_code(400);
Expand Down Expand Up @@ -66,15 +66,19 @@
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="authorName"><?= $PMF_LANG['ad_news_author_name'] ?></label>
<label class="col-3 col-form-label" for="authorName">
<?= $PMF_LANG['ad_news_author_name'] ?>
</label>
<div class="col-9">
<input class="form-control" type="text" name="authorName" id="authorName"
value="<?= $user->getUserData('display_name') ?>">
</div>
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="authorEmail"><?= $PMF_LANG['ad_news_author_email'] ?></label>
<label class="col-3 col-form-label" for="authorEmail">
<?= $PMF_LANG['ad_news_author_email'] ?>
</label>
<div class="col-9">
<input class="form-control" type="email" name="authorEmail" id="authorEmail"
value="<?= $user->getUserData('email') ?>">
Expand All @@ -94,7 +98,9 @@
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="comment"><?= $PMF_LANG['ad_news_allowComments'] ?></label>
<label class="col-3 col-form-label" for="comment">
<?= $PMF_LANG['ad_news_allowComments'] ?>
</label>
<div class="col-9 checkbox">
<label>
<input type="checkbox" name="comment" id="comment" value="y">
Expand All @@ -106,12 +112,15 @@
<div class="form-group row">
<label class="col-3 col-form-label" for="link"><?= $PMF_LANG['ad_news_link_url'] ?></label>
<div class="col-9">
<input class="form-control" type="text" name="link" id="link" placeholder="http://www.example.com/">
<input class="form-control" type="text" name="link" id="link"
placeholder="http://www.example.com/">
</div>
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="linkTitle"><?= $PMF_LANG['ad_news_link_title'] ?></label>
<label class="col-3 col-form-label" for="linkTitle">
<?= $PMF_LANG['ad_news_link_title'] ?>
</label>
<div class="col-9">
<input type="text" name="linkTitle" id="linkTitle" class="form-control">
</div>
Expand Down Expand Up @@ -207,7 +216,7 @@
foreach ($newsHeader as $newsItem) {
?>
<tr>
<td><?= $newsItem['header'] ?></td>
<td><?= Strings::htmlentities($newsItem['header']) ?></td>
<td><?= $date->format($newsItem['date']) ?></td>
<td>
<a class="btn btn-primary" href="?action=edit-news&amp;id=<?= $newsItem['id'] ?>">
Expand Down Expand Up @@ -254,7 +263,7 @@
<label class="col-3 col-form-label" for="newsheader"><?= $PMF_LANG['ad_news_header'] ?></label>
<div class="col-9">
<input type="text" name="newsheader" id="newsheader" class="form-control"
value="<?= $newsData['header'] ?? '' ?>">
value="<?= Strings::htmlentities($newsData['header']) ?? '' ?>">
</div>
</div>

Expand All @@ -270,16 +279,20 @@
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="authorName"><?= $PMF_LANG['ad_news_author_name'] ?></label>
<label class="col-3 col-form-label" for="authorName">
<?= $PMF_LANG['ad_news_author_name'] ?>
</label>
<div class="col-9">
<input type="text" name="authorName" value="<?= $newsData['authorName'] ?>" class="form-control">
<input type="text" name="authorName" class="form-control"
value="<?= Strings::htmlentities($newsData['authorName']) ?>">
</div>
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="authorEmail"><?= $PMF_LANG['ad_news_author_email'] ?></label>
<div class="col-9">
<input type="email" name="authorEmail" value="<?= $newsData['authorEmail'] ?>" class="form-control">
<input type="email" name="authorEmail" class="form-control"
value="<?= Strings::htmlentities($newsData['authorEmail']) ?>">
</div>
</div>

Expand Down Expand Up @@ -315,15 +328,16 @@
<div class="form-group row">
<label class="col-3 col-form-label" for="link"><?= $PMF_LANG['ad_news_link_url'] ?></label>
<div class="col-9">
<input type="text" id="link" name="link" value="<?= $newsData['link'] ?>" class="form-control">
<input type="text" id="link" name="link"
value="<?= Strings::htmlentities($newsData['link']) ?>" class="form-control">
</div>
</div>

<div class="form-group row">
<label class="col-3 col-form-label" for="linkTitle"><?= $PMF_LANG['ad_news_link_title'] ?></label>
<div class="col-9">
<input type="text" id="linkTitle" name="linkTitle" value="<?= $newsData['linkTitle'] ?>"
class="form-control">
<input type="text" id="linkTitle" name="linkTitle"
value="<?= Strings::htmlentities($newsData['linkTitle']) ?>" class="form-control">
</div>
</div>

Expand Down Expand Up @@ -429,14 +443,14 @@ class="form-control">
<?php
$dateStart = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_UNSAFE_RAW);
$dateEnd = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_UNSAFE_RAW);
$header = Filter::filterInput(INPUT_POST, 'newsheader', FILTER_UNSAFE_RAW);
$header = Filter::filterInput(INPUT_POST, 'newsheader', FILTER_SANITIZE_SPECIAL_CHARS);
$content = Filter::filterInput(INPUT_POST, 'news', FILTER_SANITIZE_SPECIAL_CHARS);
$author = Filter::filterInput(INPUT_POST, 'authorName', FILTER_UNSAFE_RAW);
$email = Filter::filterInput(INPUT_POST, 'authorEmail', FILTER_VALIDATE_EMAIL);
$active = Filter::filterInput(INPUT_POST, 'active', FILTER_UNSAFE_RAW);
$comment = Filter::filterInput(INPUT_POST, 'comment', FILTER_UNSAFE_RAW);
$link = Filter::filterInput(INPUT_POST, 'link', FILTER_UNSAFE_RAW);
$linkTitle = Filter::filterInput(INPUT_POST, 'linkTitle', FILTER_UNSAFE_RAW);
$link = Filter::filterInput(INPUT_POST, 'link', FILTER_SANITIZE_SPECIAL_CHARS);
$linkTitle = Filter::filterInput(INPUT_POST, 'linkTitle', FILTER_SANITIZE_SPECIAL_CHARS);
$newsLang = Filter::filterInput(INPUT_POST, 'langTo', FILTER_UNSAFE_RAW);
$target = Filter::filterInput(INPUT_POST, 'target', FILTER_UNSAFE_RAW);

Expand Down
14 changes: 7 additions & 7 deletions phpmyfaq/faq.php
Expand Up @@ -7,13 +7,13 @@
* v. 2.0. If a copy of the MPL was not distributed with this file, You can
* obtain one at http://mozilla.org/MPL/2.0/.
*
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Lars Tiedemann <larstiedemann@yahoo.de>
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Lars Tiedemann <larstiedemann@yahoo.de>
* @copyright 2002-2022 phpMyFAQ Team
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2002-08-27
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2002-08-27
*/

use phpMyFAQ\Attachment\AttachmentException;
Expand Down Expand Up @@ -338,7 +338,7 @@
'baseHref' => $faqSystem->getSystemUri($faqConfig),
'solutionId' => $faq->faqRecord['solution_id'],
'solutionIdLink' => Link::getSystemRelativeUri() . '?solution_id=' . $faq->faqRecord['solution_id'],
'question' => $question,
'question' => Strings::htmlentities($question),
'answer' => $answer,
'faqDate' => $date->format($faq->faqRecord['date']),
'faqAuthor' => $author,
Expand Down
2 changes: 1 addition & 1 deletion phpmyfaq/index.php
Expand Up @@ -539,7 +539,7 @@
'metaTitle' => Strings::htmlspecialchars(str_replace('"', '', $faqConfig->getTitle() . $title)),
'metaDescription' => Strings::htmlspecialchars($metaDescription ?? ''),
'metaKeywords' => Strings::htmlspecialchars($keywords),
'metaPublisher' => $faqConfig->get('main.metaPublisher'),
'metaPublisher' => Strings::htmlspecialchars($faqConfig->get('main.metaPublisher')),
'metaLanguage' => $PMF_LANG['metaLanguage'],
'metaRobots' => $faqSeo->getMetaRobots($action),
'phpmyfaqversion' => $faqConfig->getVersion(),
Expand Down
23 changes: 12 additions & 11 deletions phpmyfaq/news.php
Expand Up @@ -8,13 +8,13 @@
* v. 2.0. If a copy of the MPL was not distributed with this file, You can
* obtain one at http://mozilla.org/MPL/2.0/.
*
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Matteo Scaramuccia <matteo@scaramuccia.com>
* @package phpMyFAQ
* @author Thorsten Rinne <thorsten@phpmyfaq.de>
* @author Matteo Scaramuccia <matteo@scaramuccia.com>
* @copyright 2006-2022 phpMyFAQ Team
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2006-07-23
* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
* @link https://www.phpmyfaq.de
* @since 2006-07-23
*/

use phpMyFAQ\Captcha;
Expand All @@ -25,6 +25,7 @@
use phpMyFAQ\Glossary;
use phpMyFAQ\Helper\CaptchaHelper;
use phpMyFAQ\News;
use phpMyFAQ\Strings;
use phpMyFAQ\User\CurrentUser;

if (!defined('IS_VALID_PHPMYFAQ')) {
Expand Down Expand Up @@ -74,9 +75,9 @@
$newsContent .= sprintf(
'</p><p>%s<a href="%s" target="%s">%s</a>',
$PMF_LANG['msgInfo'],
$news['link'],
Strings::htmlentities($news['link']),
$news['target'],
$news['linkTitle']
Strings::htmlentities($news['linkTitle'])
);
}

Expand Down Expand Up @@ -121,11 +122,11 @@
'mainPageContent',
[
'writeNewsHeader' => $newsMainHeader,
'writeHeader' => $newsHeader,
'mainPageContent' => $newsContent,
'writeHeader' => Strings::htmlentities($newsHeader),
'mainPageContent' => Strings::htmlentities($newsContent),
'writeDateMsg' => $newsDate,
'msgAboutThisNews' => $PMF_LANG['msgAboutThisNews'],
'writeAuthor' => ($news['active'] && (!$expired)) ? $PMF_LANG['msgAuthor'] . ': ' . $news['authorName'] : '',
'writeAuthor' => ($news['active'] && (!$expired)) ? $PMF_LANG['msgAuthor'] . ': ' . Strings::htmlentities($news['authorName']) : '',
'editThisEntry' => $editThisEntry,
'writeCommentMsg' => $commentMessage,
'msgWriteComment' => $PMF_LANG['newsWriteComment'],
Expand Down
2 changes: 1 addition & 1 deletion phpmyfaq/src/Bootstrap.php
Expand Up @@ -25,7 +25,7 @@
// Debug mode:
// - false debug mode disabled
// - true debug mode enabled
const DEBUG = false;
const DEBUG = true;
if (DEBUG) {
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
Expand Down
10 changes: 5 additions & 5 deletions phpmyfaq/src/phpMyFAQ/Category.php
Expand Up @@ -787,13 +787,13 @@ public function addCategoryLink(

$oLink = new Link($url, $this->config);
$oLink->id = 'category_' . $categoryId;
$oLink->itemTitle = $categoryName;
$oLink->text = $categoryName;
$oLink->itemTitle = Strings::htmlentities($categoryName);
$oLink->text = Strings::htmlentities($categoryName);

if ($hasChildren) {
$oLink->text .= sprintf(
'<i aria-hidden="true" class="fa fa-caret-right" title="%s"></i>',
$categoryName
Strings::htmlentities($categoryName)
);
}

Expand Down Expand Up @@ -890,8 +890,8 @@ public function getPath(
);
$oLink = new Link($url, $this->config);
$oLink->text = sprintf('<span>%s</span>', $category);
$oLink->itemTitle = $category;
$oLink->tooltip = $description[$key];
$oLink->itemTitle = Strings::htmlentities($category);
$oLink->tooltip = Strings::htmlentities($description[$key]);
if (0 === $key) {
$oLink->setRelation('index');
}
Expand Down
2 changes: 1 addition & 1 deletion phpmyfaq/src/phpMyFAQ/Database/DatabaseHelper.php
Expand Up @@ -31,7 +31,7 @@ class DatabaseHelper
/**
* @var Configuration
*/
private $config;
private Configuration $config;

/**
* Constructor.
Expand Down
18 changes: 9 additions & 9 deletions phpmyfaq/src/phpMyFAQ/Helper/CategoryHelper.php
Expand Up @@ -241,9 +241,9 @@ public function renderCategoryDropDown(): string
$parent
);
$oLink = new Link($url, $this->config);
$oLink->itemTitle = $categoryName;
$oLink->text = $categoryName;
$oLink->tooltip = $description;
$oLink->itemTitle = Strings::htmlentities($categoryName);
$oLink->text = Strings::htmlentities($categoryName);
$oLink->tooltip = !is_null($description) ?? Strings::htmlentities($description);

$output .= $oLink->toHtmlAnchor();
$open = $level;
Expand Down Expand Up @@ -274,7 +274,7 @@ public function renderMainCategories(): string
$categories .= sprintf(
'<li><a href="?action=show&cat=%d">%s</a></li>',
$cat['id'],
$cat['name']
Strings::htmlentities($cat['name'])
);
}
}
Expand Down Expand Up @@ -323,7 +323,7 @@ public function renderOptions($categoryId): string
}

$categories .= '>';
$categories .= $indent . $cat['name'] . "</option>\n";
$categories .= $indent . Strings::htmlentities($cat['name']) . "</option>\n";
++$i;
}

Expand Down Expand Up @@ -355,7 +355,7 @@ public function renderStartPageCategories(array $categories): string
'<a href="' . Strings::htmlentities($category['url']) . '">' .
Strings::htmlentities($category['name']) . '</a>' .
'</h4>' .
'<p class="card-text">' . $category['description'] . '</p>' .
'<p class="card-text">' . Strings::htmlentities($category['description']) . '</p>' .
'</div>' .
'</div>';
if ($key % 2 === 0) {
Expand Down Expand Up @@ -504,9 +504,9 @@ public function renderCategoryTree(): string
$parent
);
$oLink = new Link($url, $this->config);
$oLink->itemTitle = $categoryName;
$oLink->text = $categoryName;
$oLink->tooltip = $description;
$oLink->itemTitle = Strings::htmlentities($categoryName);
$oLink->text = Strings::htmlentities($categoryName);
$oLink->tooltip = !is_null($description) ?? Strings::htmlentities($description);

$output .= $oLink->toHtmlAnchor() . $numFaqs;
$open = $level;
Expand Down
10 changes: 5 additions & 5 deletions phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php
Expand Up @@ -163,12 +163,12 @@ public function renderAnswerPreview(string $answer, int $numWords): string
* Creates an overview with all categories with their FAQs.
*
* @param Category $category
* @param Faq $faq
* @param string $language
* @param Faq $faq
* @param string $language
* @return string
* @throws Exception
*/
public function createOverview(Category $category, Faq $faq, $language = ''): string
public function createOverview(Category $category, Faq $faq, string $language = ''): string
{
global $PMF_LANG;

Expand Down Expand Up @@ -209,8 +209,8 @@ public function createOverview(Category $category, Faq $faq, $language = ''): st
* Creates a list of links with available languages to edit a FAQ
* in the admin backend.
*
* @param $faqId
* @param $faqLang
* @param int $faqId
* @param string $faqLang
* @return string
*/
public function createFaqTranslationLinkList(int $faqId, string $faqLang): string
Expand Down

0 comments on commit 1123c08

Please sign in to comment.