Fixed HTML injection in some forms
This commit is contained in:
Marcin Kurczewski
parent
395ac3033f
commit
c0f52ecf28
6 changed files with 15 additions and 15 deletions
|
|
@ -13,7 +13,7 @@ LayoutHelper::setSubTitle('logs (' . $name . ')');
|
||||||
<form action="<?php echo \Chibi\UrlHelper::route('log', 'view', ['name' => $this->context->transport->name]) ?>" method="get">
|
<form action="<?php echo \Chibi\UrlHelper::route('log', 'view', ['name' => $this->context->transport->name]) ?>" method="get">
|
||||||
Keep only lines that contain:
|
Keep only lines that contain:
|
||||||
|
|
||||||
<input type="text" name="query" value="<?php echo $this->context->transport->filter ?>" placeholder="any text…"/>
|
<input type="text" name="query" value="<?php echo htmlspecialchars($this->context->transport->filter) ?>" placeholder="any text…"/>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
<div class="paginator-content">
|
<div class="paginator-content">
|
||||||
|
|
|
||||||
|
|
@ -17,15 +17,15 @@
|
||||||
<?php if (PrivilegesHelper::confirm(Privilege::EditPostTags, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->post->getUploader()))): ?>
|
<?php if (PrivilegesHelper::confirm(Privilege::EditPostTags, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->post->getUploader()))): ?>
|
||||||
<div class="form-row tags">
|
<div class="form-row tags">
|
||||||
<label for="tags">Tags:</label>
|
<label for="tags">Tags:</label>
|
||||||
<div class="input-wrapper"><input type="text" name="tags" id="tags" placeholder="enter some tags…" value="<?php echo join(',', array_map(function($tag) { return $tag->name; }, $this->context->transport->post->getTags())) ?>"/></div>
|
<div class="input-wrapper"><input type="text" name="tags" id="tags" placeholder="enter some tags…" value="<?php echo join(',', array_map(function($tag) { return htmlspecialchars($tag->name); }, $this->context->transport->post->getTags())) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<input type="hidden" name="edit-token" id="edit-token" value="<?php echo $this->context->transport->post->getEditToken() ?>"/>
|
<input type="hidden" name="edit-token" id="edit-token" value="<?php echo htmlspecialchars($this->context->transport->post->getEditToken()) ?>"/>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
|
||||||
<?php if (PrivilegesHelper::confirm(Privilege::EditPostSource, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->post->getUploader()))): ?>
|
<?php if (PrivilegesHelper::confirm(Privilege::EditPostSource, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->post->getUploader()))): ?>
|
||||||
<div class="form-row source">
|
<div class="form-row source">
|
||||||
<label for="source">Source:</label>
|
<label for="source">Source:</label>
|
||||||
<div class="input-wrapper"><input type="text" name="source" id="source" value="<?php echo $this->context->transport->post->source ?>"/></div>
|
<div class="input-wrapper"><input type="text" name="source" id="source" value="<?php echo htmlspecialchars($this->context->transport->post->source) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -106,7 +106,7 @@ $canEditAnything = count(array_filter($editPostPrivileges)) > 0;
|
||||||
<div class="key-value source">
|
<div class="key-value source">
|
||||||
<span class="key">Source:</span>
|
<span class="key">Source:</span>
|
||||||
<span class="value" title="<?php echo $val = htmlspecialchars($this->context->transport->post->source ?: 'unknown') ?>">
|
<span class="value" title="<?php echo $val = htmlspecialchars($this->context->transport->post->source ?: 'unknown') ?>">
|
||||||
<?php if (preg_match('/^((https?|ftp):|)\/\//', $val)): ?>
|
<?php if (preg_match('/^((https?|ftp):|)\/\//', $this->context->transport->post->source)): ?>
|
||||||
<a href="<?php echo $val ?>"><?php echo $val ?></a>
|
<a href="<?php echo $val ?>"><?php echo $val ?></a>
|
||||||
<?php else: ?>
|
<?php else: ?>
|
||||||
<?php echo $val ?>
|
<?php echo $val ?>
|
||||||
|
|
|
||||||
|
|
@ -4,12 +4,12 @@
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="mass-tag-query">Search query:</label>
|
<label for="mass-tag-query">Search query:</label>
|
||||||
<div class="input-wrapper"><input class="autocomplete" type="text" name="query" id="mass-tag-query" value="<?php echo isset($this->context->massTagQuery) ? $this->context->massTagQuery : '' ?>"/></div>
|
<div class="input-wrapper"><input class="autocomplete" type="text" name="query" id="mass-tag-query" value="<?php echo isset($this->context->massTagQuery) ? htmlspecialchars($this->context->massTagQuery) : '' ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="mass-tag-tag">Tag:</label>
|
<label for="mass-tag-tag">Tag:</label>
|
||||||
<div class="input-wrapper"><input class="autocomplete" type="text" name="tag" id="mass-tag-tag" value="<?php echo isset($this->context->massTagTag) ? $this->context->massTagTag : '' ?>"/></div>
|
<div class="input-wrapper"><input class="autocomplete" type="text" name="tag" id="mass-tag-tag" value="<?php echo isset($this->context->massTagTag) ? htmlspecialchars($this->context->massTagTag) : '' ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<input type="hidden" name="submit" value="1"/>
|
<input type="hidden" name="submit" value="1"/>
|
||||||
|
|
|
||||||
|
|
@ -10,25 +10,25 @@
|
||||||
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserName, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserName, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
||||||
<div class="form-row nickname">
|
<div class="form-row nickname">
|
||||||
<label for="name">Name:</label>
|
<label for="name">Name:</label>
|
||||||
<div class="input-wrapper"><input type="text" name="name" id="name" placeholder="New name…" value="<?php echo $this->context->suppliedName ?>"/></div>
|
<div class="input-wrapper"><input type="text" name="name" id="name" placeholder="New name…" value="<?php echo htmlspecialchars($this->context->suppliedName) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
|
||||||
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserEmail, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserEmail, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
||||||
<div class="form-row email">
|
<div class="form-row email">
|
||||||
<label for="name">E-mail:</label>
|
<label for="name">E-mail:</label>
|
||||||
<div class="input-wrapper"><input type="text" name="email" id="email" placeholder="New e-mail…" value="<?php echo $this->context->suppliedEmail ?>"/></div>
|
<div class="input-wrapper"><input type="text" name="email" id="email" placeholder="New e-mail…" value="<?php echo htmlspecialchars($this->context->suppliedEmail) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
|
||||||
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserPassword, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
<?php if (PrivilegesHelper::confirm(Privilege::ChangeUserPassword, PrivilegesHelper::getIdentitySubPrivilege($this->context->transport->user))): ?>
|
||||||
<div class="form-row password1">
|
<div class="form-row password1">
|
||||||
<label for="password1">New password:</label>
|
<label for="password1">New password:</label>
|
||||||
<div class="input-wrapper"><input type="password" name="password1" id="password1" placeholder="New password…" value="<?php echo $this->context->suppliedPassword1 ?>"/></div>
|
<div class="input-wrapper"><input type="password" name="password1" id="password1" placeholder="New password…" value="<?php echo htmlspecialchars($this->context->suppliedPassword1) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<div class="form-row password2">
|
<div class="form-row password2">
|
||||||
<label for="password2"></label>
|
<label for="password2"></label>
|
||||||
<div class="input-wrapper"><input type="password" name="password2" id="password2" placeholder="New password… (repeat)" value="<?php echo $this->context->suppliedPassword2 ?>"/></div>
|
<div class="input-wrapper"><input type="password" name="password2" id="password2" placeholder="New password… (repeat)" value="<?php echo htmlspecialchars($this->context->suppliedPassword2) ?>"/></div>
|
||||||
</div>
|
</div>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,22 +14,22 @@ LayoutHelper::setSubTitle('registration form');
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="name">User name:</label>
|
<label for="name">User name:</label>
|
||||||
<div class="input-wrapper"><input type="text" id="name" name="name" value="<?php echo $this->context->suppliedName ?>" placeholder="e.g. darth_vader" autocomplete="off"/></div>
|
<div class="input-wrapper"><input type="text" id="name" name="name" value="<?php echo htmlspecialchars($this->context->suppliedName) ?>" placeholder="e.g. darth_vader" autocomplete="off"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="password1">Password:</label>
|
<label for="password1">Password:</label>
|
||||||
<div class="input-wrapper"><input type="password" id="password1" name="password1" value="<?php echo $this->context->suppliedPassword1 ?>" placeholder="e.g. <?php echo str_repeat('●', 8) ?>" autocomplete="off"/></div>
|
<div class="input-wrapper"><input type="password" id="password1" name="password1" value="<?php echo htmlspecialchars($this->context->suppliedPassword1) ?>" placeholder="e.g. <?php echo str_repeat('●', 8) ?>" autocomplete="off"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="password2">Password (repeat):</label>
|
<label for="password2">Password (repeat):</label>
|
||||||
<div class="input-wrapper"><input type="password" id="password2" name="password2" value="<?php echo $this->context->suppliedPassword2 ?>" placeholder="e.g. <?php echo str_repeat('●', 8) ?>" autocomplete="off"/></div>
|
<div class="input-wrapper"><input type="password" id="password2" name="password2" value="<?php echo htmlspecialchars($this->context->suppliedPassword2) ?>" placeholder="e.g. <?php echo str_repeat('●', 8) ?>" autocomplete="off"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="form-row">
|
<div class="form-row">
|
||||||
<label for="email">E-mail address:</label>
|
<label for="email">E-mail address:</label>
|
||||||
<div class="input-wrapper"><input type="text" id="email" name="email" value="<?php echo $this->context->suppliedEmail ?>" placeholder="e.g. vader@empire.gov" autocomplete="off"/></div>
|
<div class="input-wrapper"><input type="text" id="email" name="email" value="<?php echo htmlspecialchars($this->context->suppliedEmail) ?>" placeholder="e.g. vader@empire.gov" autocomplete="off"/></div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<p id="email-info">Your e-mail will be used to show your <a href="http://gravatar.com/">Gravatar</a>.<br/>Leave blank for random Gravatar.</p>
|
<p id="email-info">Your e-mail will be used to show your <a href="http://gravatar.com/">Gravatar</a>.<br/>Leave blank for random Gravatar.</p>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue