SlatePermutate Changeset - 936c42a99c1e · protofusion repositories

Changeset - 936c42a99c1e

Parent rev.

Child rev.

[Not reviewed]

default

0 5 0

Nathan Brink (binki) - 15 years ago 2010-10-12 21:26:07
ohnobinki@ohnopublishing.net

Escape user input when rendering it so that users may input things such as ampersands and double-quotes.

5 files changed with 18 insertions and 14 deletions:

class.class.php

class.schedule.php

class.section.php

inc/class.page.php

input.php

0 comments (0 inline, 0 general)

class.class.php

➞

Show inline comments

@@ @@ -70,13 +70,13 @@ class Classes @@
    *   Renders this Classes into something suitable for input.php.
    */
   function input_form_render($class_key)
+  {
     $n = "\n";
     $out = '<tr title="' . $class_key . '" class="class class' . $class_key . '">' . $n
-      . '  <td><input type="text" class="required defText" title="Class Name" name="postData[' . $class_key . '][name]" value="' . str_replace('"', '&quot;', $this->getName()) . '"/></td>' . $n
+      . '  <td><input type="text" class="required defText" title="Class Name" name="postData[' . $class_key . '][name]" value="' . htmlentities($this->getName()) . '"/></td>' . $n
       . '  <td colspan="8"></td>' . $n
       . '  <td class="tdInput"><div class="addSection"><input type="button" value="Add section" /></div></td>' . $n
       . '  <td class="tdInput"><div class="deleteClass"><input type="button" value="Remove" /></div></td>' . $n
       . "</tr>\n";
     foreach ($this->sections as $key => $section)

class.schedule.php

➞

Show inline comments

@@ @@ -287,13 +287,13 @@ class Schedule @@
     else {
 /*      $footcloser .="<script type=\"text/javascript\" charset=\"utf-8\">".
 	"\n\tvar my_glider = new Glider('my-glider', {duration:0});".
 	"\n</script>"; */
       $headcode = array('outputStyle',  'jQuery', 'jQueryUI', 'uiTabsKeyboard');
+    }
-    $outputPage = new page($this->getName(), $headcode);
+    $outputPage = new Page(htmlentities($this->getName()), $headcode);
     if(isset($_REQUEST['print'])){
      echo '<script type="text/javascript">';
@@ @@ -374,17 +374,17 @@ class Schedule @@
 			if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getM())
+			  {
 			    if(($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() >= $time[$r]) && ($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() < $time[$r+1]))
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $M = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
+			  }
 		      } else {
 		      if($j == $M)
@@ @@ -417,17 +417,17 @@ class Schedule @@
 			if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getTu())
+			  {
 			    if(($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() >= $time[$r]) && ($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() < $time[$r+1]))
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $Tu = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
+			  }
 		      } else {
 		      if($j == $Tu)
@@ @@ -460,17 +460,17 @@ class Schedule @@
 			if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getW())
+			  {
 			    if(($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() >= $time[$r]) && ($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() < $time[$r+1]))
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $W = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
+			  }
 		      } else {
 		      if($j == $W)
@@ @@ -503,17 +503,17 @@ class Schedule @@
 			if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getTh())
+			  {
 			    if(($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() >= $time[$r]) && ($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() < $time[$r+1]))
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $Th = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
+			  }
 		      } else {
 		      if($j == $Th)
@@ @@ -546,17 +546,17 @@ class Schedule @@
 			if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getF())
+			  {
 			    if(($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() >= $time[$r]) && ($this->classStorage[$j]->getSection($this->storage[$i][$j])->getStartTime() < $time[$r+1]))
+			      {
 				if($this->classStorage[$j]->getSection($this->storage[$i][$j])->getEndTime() > $time[$r+1])
+				  {
-				    $table .= "\n\t\t<td class=\"top class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				    $table .= "\n\t\t<td class=\"top class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				    $F = $j;
 				    $filled = true;
 				  } else {
-				  $table .= "\n\t\t<td class=\"single class{$j}\">" . $this->classStorage[$j]->getName() . " " . $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() . "</td>";
+				  $table .= "\n\t\t<td class=\"single class{$j}\">" . htmlentities($this->classStorage[$j]->getName()) . " " . htmlentities( $this->classStorage[$j]->getSection($this->storage[$i][$j])->getLetter() ) . "</td>";
 				  $filled = true;
+				}
+			      }
+			  }
 		      } else {
 		      if($j == $F)

class.section.php

➞

Show inline comments

@@ @@ -169,13 +169,13 @@ class Section @@
       case 'numerous':
       default:
 	/* see customIds() in scheduleInput.js */
 	$out .= '  <td class="sectionIdentifier center">' . $n
 	. '    <input type="text" size="1" class="required" title="Section Name"' . $n
 	. '           name="postData[' . $class_key . '][' . $section_key . '][letter]"' . $n
 	. '           value="' . $this->letter . '" />' . $n
+	. '           value="' . htmlentities($this->letter) . '" />' . $n
 	. "  </td>\n";
       break;
+      }
     $out .= "  <td>\n"
       . '    <select class="selectRequired" name="postData[' . $class_key . '][' . $section_key . '][start]">' . $n;

inc/class.page.php

➞

Show inline comments

@@ @@ -37,12 +37,16 @@ class page @@
   private $pagetitle = ''; // Title of page
   private $scripts = array(); // Scripts to include on page
   /* the current school. See get_school(). */
   private $school;
   /**
    * \param $ntitle
    *   Must be a valid HTML string (i.e., escaped with htmlentities()).
    */
   public function __construct($ntitle, $nscripts = array(), $immediate = TRUE)
+  {
     global $ga_trackers;
     require_once('school.inc');

input.php

➞

Show inline comments

@@ @@ -76,13 +76,13 @@ if (!empty($_REQUEST['selectschool']) @@
   classes, and add available sections for each class.
 </p>
 <form method="post" action="process.php" id="scheduleForm">
 <br />
 <label>Schedule Name</label><br />
 <input id="scheduleName" style="margin-bottom: 1em;" class="defText required" type="text" size="25" title="(e.g., Spring <?php echo Date('Y'); ?>)" name="postData[name]"
-<?php if ($sch) echo 'value="' . str_replace('"', '&quot;', $sch->getName()) . '"'; /*"*/ ?>
+<?php if ($sch) echo 'value="' . htmlentities($sch->getName()) . '"'; /*"*/ ?>
 />
 <table id="container">
   <tr><td>
     <table id="jsrows">
 	<!-- Header -->

0 comments (0 inline, 0 general)