SlatePermutate Changeset - 936c42a99c1e · protofusion repositories

Changeset - 936c42a99c1e

Parent rev.

Child rev.

[Not reviewed]

default

0 5 0

Nathan Brink (binki) - 15 years ago 2010-10-12 21:26:07
ohnobinki@ohnopublishing.net

Escape user input when rendering it so that users may input things such as ampersands and double-quotes.

5 files changed with 18 insertions and 14 deletions:

class.class.php

class.schedule.php

class.section.php

inc/class.page.php

input.php

0 comments (0 inline, 0 general)

class.class.php

➞

Show inline comments

@@ @@ -73,7 +73,7 @@ class Classes @@
+  {
     $n = "\n";
     $out = '<tr title="' . $class_key . '" class="class class' . $class_key . '">' . $n
-      . '  <td><input type="text" class="required defText" title="Class Name" name="postData[' . $class_key . '][name]" value="' . str_replace('"', '&quot;', $this->getName()) . '"/></td>' . $n
+      . '  <td><input type="text" class="required defText" title="Class Name" name="postData[' . $class_key . '][name]" value="' . htmlentities($this->getName()) . '"/></td>' . $n
       . '  <td colspan="8"></td>' . $n
       . '  <td class="tdInput"><div class="addSection"><input type="button" value="Add section" /></div></td>' . $n
       . '  <td class="tdInput"><div class="deleteClass"><input type="button" value="Remove" /></div></td>' . $n

class.schedule.php

➞

Show inline comments

@@ @@ -290,7 +290,7 @@ class Schedule @@
 	"\n</script>"; */
       $headcode = array('outputStyle',  'jQuery', 'jQueryUI', 'uiTabsKeyboard');
+    }
-    $outputPage = new page($this->getName(), $headcode);
+    $outputPage = new Page(htmlentities($this->getName()), $headcode);
@@ @@ -377,11 +377,11 @@ class Schedule @@
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $M = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
@@ @@ -420,11 +420,11 @@ class Schedule @@
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $Tu = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
@@ @@ -463,11 +463,11 @@ class Schedule @@
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $W = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
@@ @@ -506,11 +506,11 @@ class Schedule @@
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $Th = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
@@ @@ -549,11 +549,11 @@ class Schedule @@
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $F = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }

class.section.php

➞

Show inline comments

@@ @@ -172,7 +172,7 @@ class Section @@
 	$out .= '  <td class="sectionIdentifier center">' . $n
 	. '    <input type="text" size="1" class="required" title="Section Name"' . $n
 	. '           name="postData[' . $class_key . '][' . $section_key . '][letter]"' . $n
 	. '           value="' . $this->letter . '" />' . $n
+	. '           value="' . htmlentities($this->letter) . '" />' . $n
 	. "  </td>\n";
       break;
+      }

inc/class.page.php

➞

Show inline comments

@@ @@ -40,6 +40,10 @@ class page @@
   /* the current school. See get_school(). */
   private $school;
   /**
    * \param $ntitle
    *   Must be a valid HTML string (i.e., escaped with htmlentities()).
    */
   public function __construct($ntitle, $nscripts = array(), $immediate = TRUE)
+  {
     global $ga_trackers;

input.php

➞

Show inline comments

@@ @@ -79,7 +79,7 @@ if (!empty($_REQUEST['selectschool']) @@
 <br />
 <label>Schedule Name</label><br />
 <input id="scheduleName" style="margin-bottom: 1em;" class="defText required" type="text" size="25" title="(e.g., Spring <?php echo Date('Y'); ?>)" name="postData[name]"
-<?php if ($sch) echo 'value="' . str_replace('"', '&quot;', $sch->getName()) . '"'; /*"*/ ?>
+<?php if ($sch) echo 'value="' . htmlentities($sch->getName()) . '"'; /*"*/ ?>
 />
 <table id="container">

0 comments (0 inline, 0 general)