# HG changeset patch # User Nathan Phillip Brink # Date 2010-10-12 21:26:07 # Node ID 936c42a99c1ef63fc361990b271d216e072ca727 # Parent 2a26704f9d52f7bcbab8b9973e2d8f6d1bb3c407 Escape user input when rendering it so that users may input things such as ampersands and double-quotes. diff --git a/class.class.php b/class.class.php --- a/class.class.php +++ b/class.class.php @@ -73,7 +73,7 @@ class Classes { $n = "\n"; $out = '' . $n - . ' getName()) . '"/>' . $n + . ' ' . $n . ' ' . $n . '

' . $n . '

' . $n diff --git a/class.schedule.php b/class.schedule.php --- a/class.schedule.php +++ b/class.schedule.php @@ -290,7 +290,7 @@ class Schedule "\n"; */ $headcode = array('outputStyle', 'jQuery', 'jQueryUI', 'uiTabsKeyboard'); } - $outputPage = new page($this->getName(), $headcode); + $outputPage = new Page(htmlentities($this->getName()), $headcode); @@ -377,11 +377,11 @@ class Schedule { if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1]) { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $M = $j; $filled = true; } else { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $filled = true; } } @@ -420,11 +420,11 @@ class Schedule { if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1]) { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $Tu = $j; $filled = true; } else { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $filled = true; } } @@ -463,11 +463,11 @@ class Schedule { if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1]) { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $W = $j; $filled = true; } else { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $filled = true; } } @@ -506,11 +506,11 @@ class Schedule { if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1]) { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $Th = $j; $filled = true; } else { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $filled = true; } } @@ -549,11 +549,11 @@ class Schedule { if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1]) { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $F = $j; $filled = true; } else { - $table .= "\n\t\t" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . ""; + $table .= "\n\t\t" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . ""; $filled = true; } } diff --git a/class.section.php b/class.section.php --- a/class.section.php +++ b/class.section.php @@ -172,7 +172,7 @@ class Section $out .= ' ' . $n . ' ' . $n + . ' value="' . htmlentities($this->letter) . '" />' . $n . " \n"; break; } diff --git a/inc/class.page.php b/inc/class.page.php --- a/inc/class.page.php +++ b/inc/class.page.php @@ -40,6 +40,10 @@ class page /* the current school. See get_school(). */ private $school; + /** + * \param $ntitle + * Must be a valid HTML string (i.e., escaped with htmlentities()). + */ public function __construct($ntitle, $nscripts = array(), $immediate = TRUE) { global $ga_trackers; diff --git a/input.php b/input.php --- a/input.php +++ b/input.php @@ -79,7 +79,7 @@ if (!empty($_REQUEST['selectschool'])
Schedule Name
getName()) . '"'; /*"*/ ?> +getName()) . '"'; /*"*/ ?> />