Escape variables in pvw module

midasplatform · Dec 8, 2014 · dd9b6a4 · dd9b6a4
1 parent 4a1b968
commit dd9b6a4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/modules/pvw/Notification.php b/modules/pvw/Notification.php
@@ -39,18 +39,18 @@ public function getItemViewLink($params)
         $webroot = Zend_Controller_Front::getInstance()->getBaseUrl();
         if ($this->ModuleComponent->Validation->canVisualizeWithSliceView($item)
         ) {
-            $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/slice?itemId='.$item->getKey().'">';
+            $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/slice?itemId='.htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'">';
             $html .= '<img alt="" src="'.$webroot.'/modules/'.$this->moduleName.'/public/images/sliceView.png" /> ';
             $html .= 'Slice Visualization</a></li>';
 
-            $html .= '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/volume?itemId='.$item->getKey().'">';
+            $html .= '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/volume?itemId='.htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'">';
             $html .= '<img alt="" src="'.$webroot.'/modules/'.$this->moduleName.'/public/images/volume.png" /> ';
             $html .= 'Volume Visualization</a></li>';
 
             return $html;
         } elseif ($this->ModuleComponent->Validation->canVisualizeWithSurfaceView($item)
         ) {
-            $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/surface?itemId='.$item->getKey().'">';
+            $html = '<li><a href="'.$webroot.'/'.$this->moduleName.'/paraview/surface?itemId='.htmlspecialchars($item->getKey(), ENT_QUOTES, 'UTF-8').'">';
             $html .= '<img alt="" src="'.$webroot.'/modules/'.$this->moduleName.'/public/images/pqUnstructuredGrid16.png" /> ';
             $html .= 'Surface Visualization</a></li>';
 

diff --git a/modules/pvw/views/admin/status.phtml b/modules/pvw/views/admin/status.phtml
@@ -45,12 +45,12 @@
             foreach ($this->instances as $row) {
                 $instance = $row['dao'];
                 $status = $row['status'];
-                echo '<tr key="'.$instance->getKey().'"><td>'.$instance->getKey().'</td><td>'.$instance->getPort(
-                    ).'</td><td>'.$instance->getPid().'</td><td>'.$instance->getCreationDate(
-                    ).'</td><td>'.($status ? '<span class="running">Running</span>' : '<span class="dead">Dead</span>');
+                echo '<tr key="'.$this->escape($instance->getKey()).'"><td>'.$this->escape($instance->getKey()).'</td><td>'.$this->escape($instance->getPort(
+                    )).'</td><td>'.$this->escape($instance->getPid()).'</td><td>'.$this->escape($instance->getCreationDate(
+                    )).'</td><td>'.($status ? '<span class="running">Running</span>' : '<span class="dead">Dead</span>');
 
-                echo '</td><td><img qtip="Kill instance" alt="" class="killInstance" key="'.$instance->getKey(
-                    ).'" src="'.$this->coreWebroot.'/public/images/icons/close.png"/></td></tr>';
+                echo '</td><td><img qtip="Kill instance" alt="" class="killInstance" key="'.$this->escape($instance->getKey(
+                    )).'" src="'.$this->coreWebroot.'/public/images/icons/close.png"/></td></tr>';
             }
             ?>
             </tbody>