Skip to content

[next batch] Always use htmlspecialchars($str, ENT_COMPAT, 'UTF-8') #10424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
May 20, 2016
Merged

[next batch] Always use htmlspecialchars($str, ENT_COMPAT, 'UTF-8') #10424

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
dc959f3
Update icon.php
zero-24 May 11, 2016
a0bcc99
Update default_core.php
zero-24 May 11, 2016
666c724
Update mod_articles_categories.php
zero-24 May 11, 2016
61ef454
Update default.php
zero-24 May 11, 2016
8a3b405
Update compare.php
zero-24 May 11, 2016
c598167
Update default_url.php
zero-24 May 11, 2016
291bcc3
Update mod_tags_popular.php
zero-24 May 11, 2016
6cb211d
Update modules.php
zero-24 May 11, 2016
cf50bd7
Update frontediting_modules.php
zero-24 May 11, 2016
deb5bf9
Update index.php
zero-24 May 11, 2016
bd5fae3
Update component.php
zero-24 May 11, 2016
a161d4f
fixes (#15)
wojsmol May 14, 2016
20d5132
revert name change
zero-24 May 14, 2016
c642195
Merge branch 'staging' into patch-29
zero-24 May 14, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions administrator/components/com_contenthistory/views/compare/tmpl/compare.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
<?php foreach ($object1 as $name => $value) : ?>
<?php $rowClass = ($value->value == $object2->$name->value) ? 'items-equal' : 'items-not-equal'; ?>
<tr class="<?php echo $rowClass; ?>">
<?php if (is_object($value->value)): ?>
<?php if (is_object($value->value)) : ?>
<td><strong><?php echo $value->label; ?></strong></td>
<td /><td /><td />
<?php foreach ($value->value as $subName => $subValue): ?>
Expand All @@ -71,8 +71,8 @@
<?php $rowClass = ($subValue->value == $newSubValue) ? 'items-equal' : 'items-not-equal'; ?>
<tr class="<?php echo $rowClass; ?>">
<td><i>&nbsp;&nbsp;<?php echo $subValue->label; ?></i></td>
<td class="originalhtml" style="display:none" ><?php echo htmlspecialchars($subValue->value); ?></td>
<td class="changedhtml" style="display:none" ><?php echo htmlspecialchars($newSubValue); ?></td>
<td class="originalhtml" style="display:none" ><?php echo htmlspecialchars($subValue->value, ENT_COMPAT, 'UTF-8'); ?></td>
<td class="changedhtml" style="display:none" ><?php echo htmlspecialchars($newSubValue, ENT_COMPAT, 'UTF-8'); ?></td>
<td class="original"><?php echo $subValue->value; ?></td>
<td class="changed"><?php echo $newSubValue; ?></td>
<td class="diff" />
Expand All @@ -84,7 +84,7 @@
<td><strong><?php echo $value->label; ?></strong></td>
<td class="originalhtml" style="display:none" ><?php echo htmlspecialchars($value->value); ?></td>
<?php $object2->$name->value = is_object($object2->$name->value) ? json_encode($object2->$name->value) : $object2->$name->value; ?>
<td class="changedhtml" style="display:none" ><?php echo htmlspecialchars($object2->$name->value); ?></td>
<td class="changedhtml" style="display:none" ><?php echo htmlspecialchars($object2->$name->value, ENT_COMPAT, 'UTF-8'); ?></td>
<td class="original"><?php echo $value->value; ?></td>
<td class="changed"><?php echo $object2->$name->value; ?></td>
<td class="diff" />
Expand Down
2 changes: 1 addition & 1 deletion administrator/templates/hathor/html/layouts/joomla/quickicons/icon.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
<div class="quickicon-wrapper"<?php echo $id; ?>>
<div class="icon">
<a href="<?php echo $displayData['link']; ?>"<?php echo $target . $onclick . $title; ?>>
<?php echo JHtml::_('image', empty($displayData['icon']) ? '' : $displayData['icon'], empty($displayData['alt']) ? null : htmlspecialchars($displayData['alt']), null, true); ?>
<?php echo JHtml::_('image', empty($displayData['icon']) ? '' : $displayData['icon'], empty($displayData['alt']) ? null : htmlspecialchars($displayData['alt'], ENT_COMPAT, 'UTF-8'), null, true); ?>
<?php echo $text; ?>
</a>
</div>
Expand Down
4 changes: 2 additions & 2 deletions administrator/templates/isis/html/modules.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,11 @@ function modChrome_well($module, &$params, &$attribs)
$moduleTag = $params->get('module_tag', 'div');
$bootstrapSize = (int) $params->get('bootstrap_size');
$moduleClass = ($bootstrapSize) ? ' span' . $bootstrapSize : '';
$headerTag = htmlspecialchars($params->get('header_tag', 'h2'));
$headerTag = htmlspecialchars($params->get('header_tag', 'h2'), ENT_COMPAT, 'UTF-8');
Copy link
Contributor

@brianteeman brianteeman May 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this in the right place?

Copy link
Contributor

@wojsmol wojsmol May 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Copy link
Contributor

@brianteeman brianteeman May 15, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok thanks


// Temporarily store header class in variable
$headerClass = $params->get('header_class');
$headerClass = ($headerClass) ? ' ' . htmlspecialchars($headerClass) : '';
$headerClass = ($headerClass) ? ' ' . htmlspecialchars($headerClass, ENT_COMPAT, 'UTF-8') : '';

echo '<' . $moduleTag . ' class="well well-small' . $moduleClass . '">';

Expand Down
12 changes: 5 additions & 7 deletions components/com_users/views/profile/tmpl/default_core.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@
<?php echo JText::_('COM_USERS_PROFILE_NAME_LABEL'); ?>
</dt>
<dd>
<?php echo $this->data->name; ?>
<?php echo htmlspecialchars($this->data->name, ENT_COMPAT, 'UTF-8'); ?>
Copy link
Contributor

@brianteeman brianteeman May 11, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

showing my ignorance perhaps but why did you add it to this one. surely it has already been filtered

Copy link
Contributor Author

@zero-24 zero-24 May 14, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted.

</dd>
<dt>
<?php echo JText::_('COM_USERS_PROFILE_USERNAME_LABEL'); ?>
</dt>
<dd>
<?php echo htmlspecialchars($this->data->username); ?>
<?php echo htmlspecialchars($this->data->username, ENT_COMPAT, 'UTF-8'); ?>
</dd>
<dt>
<?php echo JText::_('COM_USERS_PROFILE_REGISTERED_DATE_LABEL'); ?>
Expand All @@ -38,17 +38,15 @@
<?php echo JText::_('COM_USERS_PROFILE_LAST_VISITED_DATE_LABEL'); ?>
</dt>

<?php if ($this->data->lastvisitDate != '0000-00-00 00:00:00'){?>
<?php if ($this->data->lastvisitDate != '0000-00-00 00:00:00') : ?>
<dd>
<?php echo JHtml::_('date', $this->data->lastvisitDate); ?>
</dd>
<?php }
else
{?>
<?php else : ?>
<dd>
<?php echo JText::_('COM_USERS_PROFILE_NEVER_VISITED'); ?>
</dd>
<?php } ?>
<?php endif; ?>

</dl>
</fieldset>
2 changes: 1 addition & 1 deletion layouts/joomla/edit/frontediting_modules.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
'\\1 jmoddiv" data-jmodediturl="' . $editUrl . '" data-target="' . $target . '" data-jmodtip="'
. JHtml::tooltipText(
JText::_('JLIB_HTML_EDIT_MODULE'),
htmlspecialchars($mod->title) . '<br />' . sprintf(JText::_('JLIB_HTML_EDIT_MODULE_IN_POSITION'), htmlspecialchars($position)),
htmlspecialchars($mod->title, ENT_COMPAT, 'UTF-8') . '<br />' . sprintf(JText::_('JLIB_HTML_EDIT_MODULE_IN_POSITION'), htmlspecialchars($position)),
Copy link
Contributor

@andrepereiradasilva andrepereiradasilva May 13, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you missed one here.

0
)
. '"'
Expand Down
3 changes: 2 additions & 1 deletion modules/mod_articles_categories/mod_articles_categories.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@

if (!empty($list))
{
$moduleclass_sfx = htmlspecialchars($params->get('moduleclass_sfx'));
$moduleclass_sfx = htmlspecialchars($params->get('moduleclass_sfx'), ENT_COMPAT, 'UTF-8');
$startLevel = reset($list)->getParent()->level;

require JModuleHelper::getLayoutPath('mod_articles_categories', $params->get('layout', 'default'));
}
2 changes: 1 addition & 1 deletion modules/mod_menu/tmpl/default_url.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,4 @@
$attributes['onclick'] = "window.open(this.href, 'targetWindow', '" . $options . "'); return false;";
}

echo JHtml::_('link', JFilterOutput::ampReplace(htmlspecialchars($item->flink)), $linktype, $attributes);
echo JHtml::_('link', JFilterOutput::ampReplace(htmlspecialchars($item->flink), ENT_COMPAT, 'UTF-8'), $linktype, $attributes);
Copy link
Contributor

@andrepereiradasilva andrepereiradasilva May 13, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Parentheses is in the wrong place.

3 changes: 1 addition & 2 deletions modules/mod_tags_popular/mod_tags_popular.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,7 @@
return;
}

$moduleclass_sfx = htmlspecialchars($params->get('moduleclass_sfx'));
$moduleclass_sfx = htmlspecialchars($params->get('moduleclass_sfx'), ENT_COMPAT, 'UTF-8');
$display_count = $params->get('display_count', 0);


require JModuleHelper::getLayoutPath('mod_tags_popular', $params->get('layout', 'default'));
2 changes: 1 addition & 1 deletion modules/mod_tags_popular/tmpl/default.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
<?php foreach ($list as $item) : ?>
<li><?php $route = new TagsHelperRoute; ?>
<a href="<?php echo JRoute::_(TagsHelperRoute::getTagRoute($item->tag_id . '-' . $item->alias)); ?>">
<?php echo htmlspecialchars($item->title); ?></a>
<?php echo htmlspecialchars($item->title, ENT_COMPAT, 'UTF-8'); ?></a>
<?php if ($display_count) : ?>
<span class="tag-count badge badge-info"><?php echo $item->count; ?></span>
<?php endif; ?>
Expand Down
6 changes: 3 additions & 3 deletions templates/beez3/component.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@
}
}

$doc->addStyleSheet('templates/' . $this->template . '/css/' . htmlspecialchars($color) . '.css');
$doc->addStyleSheet('templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '.css');

if ($this->direction == 'rtl')
{
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/template_rtl.css');

if (file_exists(JPATH_SITE . '/templates/' . $this->template . '/css/' . $color . '_rtl.css'))
if (file_exists(JPATH_SITE . '/templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '_rtl.css'))
{
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color) . '_rtl.css');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '_rtl.css');
}
}
?>
Expand Down
6 changes: 3 additions & 3 deletions templates/beez3/index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,14 @@
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/layout.css', $type = 'text/css', $media = 'screen,projection');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/print.css', $type = 'text/css', $media = 'print');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/general.css', $type = 'text/css', $media = 'screen,projection');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color) . '.css', $type = 'text/css', $media = 'screen,projection');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '.css', $type = 'text/css', $media = 'screen,projection');

if ($this->direction == 'rtl')
{
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/template_rtl.css');
if (file_exists(JPATH_SITE . '/templates/' . $this->template . '/css/' . $color . '_rtl.css'))
if (file_exists(JPATH_SITE . '/templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '_rtl.css'))
{
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color) . '_rtl.css');
$doc->addStyleSheet($this->baseurl . '/templates/' . $this->template . '/css/' . htmlspecialchars($color, ENT_COMPAT, 'UTF-8') . '_rtl.css');
}
}

Expand Down