Changeset 851

Timestamp:

Jan 17, 2016, 10:07:13 PM (8 years ago)

Author:

chronos

Message:

• Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.

Location:

trunk

Files:

• Application/Version.php (modified) (1 diff)
• Modules/Dictionary/Dictionary.php (modified) (3 diffs)
• Modules/Export/Page.php (modified) (4 diffs)
• Modules/Forum/Forum.php (modified) (9 diffs)
• Modules/ShoutBox/ShoutBox.php (modified) (1 diff)
• Modules/Team/Team.php (modified) (5 diffs)
• Modules/User/Options.php (modified) (2 diffs)
• Modules/User/Profile.php (modified) (6 diffs)
• Modules/User/Registration.php (modified) (3 diffs)
• Modules/User/UserList.php (modified) (1 diff)
• locale/cs.php (modified) (2 diffs)

trunk/Application/Version.php

@@ -6 +6 @@
 // and system will need database update.
 
-$Revision = 850; // Subversion revision
+$Revision = 851; // Subversion revision
 $DatabaseRevision = 849; // Database structure revision
 $ReleaseTime = '2016-01-17';

trunk/Modules/Dictionary/Dictionary.php

@@ -170 +170 @@
           '<input type="hidden" name="id"  value="'.$_GET['id'].'"/>'.
           '<table><tr><td>'.
-          'Původní anglické slovo:</td><td><input type="text" name="Original" value="'.$DbRow2['Text'].'" /></td></tr>'.
-          '<tr><td>Přeložené:</td><td><input type="text" name="Translated"  value="'.$DbRow['Text'].'" /></td></tr>'.
+          'Původní anglické slovo:</td><td><input type="text" name="Original" value="'.htmlspecialchars($DbRow2['Text']).'" /></td></tr>'.
+          '<tr><td>Přeložené:</td><td><input type="text" name="Translated" value="'.htmlspecialchars($DbRow['Text']).'" /></td></tr>'.
           '<tr><td>'.T('Language').':</td><td>'.WriteLanguages($DbRow['Language']).'</td></tr>'.
-          '<tr><td>'.T('Description').':</td><td><input type="text" name="Description"  value="'.$DbRow['Description'].'" /></td></tr>'.
+          '<tr><td>'.T('Description').':</td><td><input type="text" name="Description"  value="'.htmlspecialchars($DbRow['Description']).'" /></td></tr>'.
           '<tr><td colspan="2"><input type="submit" value="'.T('Save').'" /></td></tr>'.
           '</td></tr></table>'.
@@ -271 +271 @@
 
     if(is_numeric($_SESSION['language'])) $LanguageName = $LanguageList[$_SESSION['language']]['Name'];
-      else $LanguageName = 'Překlad';
+      else $LanguageName = T('Translation');
     $TableColumns = array(
       array('Name' => 'Original', 'Title' => T('English')),
@@ -288 +288 @@
     {
       $Output .= '<tr>'.
-        '<td>'.$Line['Original'].'</td>'.
-        '<td><strong>'.$Line['Translated'].'</strong></td>';
+        '<td>'.htmlspecialchars($Line['Original']).'</td>'.
+        '<td><strong>'.htmlspecialchars($Line['Translated']).'</strong></td>';
       if(!is_numeric($_SESSION['language'])) $Output .= '<td>'.T($Line['LangName']).'</td>';
-      $Output .= '<td>'.$Line['Description'].'</td>'.
+      $Output .= '<td>'.htmlspecialchars($Line['Description']).'</td>'.
         '<td><a href="'.$this->System->Link('/user/?user='.$Line['UserId']).'">'.
         $Line['UserName'].'</a></td>';

trunk/Modules/Export/Page.php

@@ -70 +70 @@
       $Output .= '<tr><td>'.HumanDate($Export['TimeCreate']).'</td>'.
           '<td><a href="'.$this->System->Link('/user/?user='.$Export['User']).'">'.$Export['UserName'].'</a></td>'.
-          '<td>'.$Export['Title'].'</td>'.
+          '<td>'.htmlspecialchars($Export['Title']).'</td>'.
           '<td>'.$Export['OutputType'].'</td>'.
           '<td><a href="'.$this->System->Link('/client-version/?action=item&amp;id='.$Export['ClientVersionId']).'">'.$Export['ClientVersion'].'</a></td>'.
@@ -304 +304 @@
         $Output .= '<input type="hidden" name="Operation" value="Save"/>'.
             '<tr><td colspan="2">';
-        if($Editable) $Output .= ' <input type="submit" value="Uložit" '.$DisabledInput[$Editable].'/>';
+        if($Editable) $Output .= ' <input type="submit" value="'.T('Save').'" '.$DisabledInput[$Editable].'/>';
         $Output .= ' <a href="?Action=Clone&amp;ExportId='.$Export['Id'].'" onclick="return confirmAction(\''.T('Realy clone item?').'\');">'.T('Clone').'</a> ';
         if($this->System->User->Licence(LICENCE_ADMIN))
@@ -310 +310 @@
         $Output .= '</td></tr>';
       }
-      $Output .= '<tr><td>'.T('Identification').':</td><td><input type="text" style="width: 400px" name="Title" value="'.$Export['Title'].'"'.$DisabledInput[$Editable].'/></td></tr>'.
-          '<tr><td>Popis:</td><td><textarea name="Description" cols="54" rows="10"'.$DisabledTextArea[$Editable].'>'.$Export['Description'].'</textarea></td></tr>'.
+      $Output .= '<tr><td>'.T('Identification').':</td><td><input type="text" style="width: 400px" name="Title" value="'.htmlspecialchars($Export['Title']).'"'.$DisabledInput[$Editable].'/></td></tr>'.
+          '<tr><td>'.T('Description').':</td><td><textarea name="Description" cols="54" rows="10"'.$DisabledTextArea[$Editable].'>'.htmlspecialchars($Export['Description']).'</textarea></td></tr>'.
           '<tr><td>'.T('With diacritics').'</td><td><input type="checkbox" name="WithDiacritic" '.$WithDiacritic.''.$DisabledInput[$Editable].'/></td></tr>'.
           '</table></form>';
@@ -752 +752 @@
         $DbResult = $this->System->Database->query('SELECT * FROM `User` WHERE `ID`='.$Export['User']);
         $UserLine = $DbResult->fetch_assoc();
-        $Output .= 'Export <strong><a href="?Action=View&amp;Tab=6&amp;ExportId='.$Export['Id'].'">'.$_GET['ExportId'].'</a></strong> překladatele <strong>'.$UserLine['Name'].'</strong> s označením <strong>'.$Export['Title'].'</strong>';
-        $Output .= ShowTabs(array(T('General'), T('Translators'), T('Translations'), T('Languages'), T('Format'), T('Version'), T('Statistic'), T('Output')));
+        $Output .= sprintf(T('Export %s of translator %s'),
+          '<strong><a href="?Action=View&amp;Tab=6&amp;ExportId='.$Export['Id'].'">'.htmlspecialchars($Export['Title']).'</a></strong>',
+          '<strong>'.$UserLine['Name'].'</strong>');
+        $Output .= ShowTabs(array(T('General'), T('Translators'),
+          T('Translations'), T('Languages'), T('Format'), T('Version'),
+          T('Statistic'), T('Output')));
         $Output .= '<div id="content">';
         if($_SESSION['Tab'] == TAB_GENERAL) $Output .= $this->ExportViewGeneral();

trunk/Modules/Forum/Forum.php

@@ -26 +26 @@
     if(array_key_exists('Search', $this->System->ModuleManager->Modules))
       $this->System->ModuleManager->Modules['Search']->RegisterSearch('forumthread',
-      T('Name of thread forum'), array('UserName', 'Text'), '`ForumThread`', $this->System->Link('/forum/?search='));
+      T('Name of thread forum'), array('UserName', 'Text'), '`ForumThread`',
+      $this->System->Link('/forum/?search='));
 
     $this->System->RegisterMenuItem(array(
@@ -56 +57 @@
         '<td><a href="'.$this->System->Link('/forum/?Thread='.$DbRow['Thread']).'">'.HumanDate($DbRow['Date']).'</a></td>'.
         '<td><a href="'.$this->System->Link('/user/?user='.$DbRow['UserId']).'">'.$DbRow['UserName'].'</a></td>'.
-        '<td>'.$Parser->qparse($DbRow['Text']).'</td>'.
+        '<td>'.htmlspecialchars($Parser->qparse($DbRow['Text'])).'</td>'.
         '</tr>';
     }
@@ -72 +73 @@
     if(array_key_exists('a', $_POST)) $Action = $_POST['a'];
       else if(array_key_exists('a', $_GET)) $Action = $_GET['a'];
-           else $Action = '';
+       else $Action = '';
     if (array_key_exists('Edit', $_GET)) {
       if (array_key_exists('text', $_POST))
@@ -117 +118 @@
             T('User').': ';
         if($this->System->User->Licence(LICENCE_USER)) $Output .= '<b>'.$this->System->User->Name.'</b><br />';
-        else $Output .= '<input type="text" name="user" /><br />';
+          else $Output .= '<input type="text" name="user" /><br />';
         $Output .= T('Message text').': ('.T('You can use').' <a href="http://www.bbcode.org/reference.php">'.T('BB code').'</a>)<br/>'.
-        '<textarea onkeydown="ResizeTextArea(this)" rows="8" name="text" cols="80">'.$DbRow['Text'].'</textarea> <br/>'.
+        '<textarea onkeydown="ResizeTextArea(this)" rows="8" name="text" cols="80">'.htmlspecialchars($DbRow['Text']).'</textarea> <br/>'.
         '<input type="hidden" name="a" value="add2"/>'.
         '<input type="submit" value="'.T('Send').'" /><br /></fieldset>'.
@@ -149 +150 @@
     '`ForumThread`.`Text` as `ThreadName`,`ForumText`.`Thread` FROM `ForumText` '.$join.' WHERE '.$where.' ORDER BY `ForumText`.`Date` DESC '.$PageList['SQLLimit']);
     while($Line = $DbResult->fetch_assoc())
-      $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.$Line['ThreadName'].'</a><br /><strong>'.$Line['UserName'].'</strong> ('.HumanDate($Line['Date']).'): '.$parser->qparse($Line['Text']).'</div> ';
+      $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.
+      htmlspecialchars($Line['ThreadName']).'</a><br /><strong>'.$Line['UserName'].
+      '</strong> ('.HumanDate($Line['Date']).'): '.htmlspecialchars($parser->qparse($Line['Text'])).'</div> ';
     $Output .= '</div>'.$PageList['Output'];
     return($Output);
@@ -166 +169 @@
     $DbResult = $this->System->Database->query('SELECT * FROM `ForumThread` WHERE 1 ORDER BY `ID` DESC '.$PageList['SQLLimit']);
     while($Line = $DbResult->fetch_assoc())
-      $Output .= '<div><span style="float:right;"><strong>'.$Line['UserName'].'</strong> - ('.HumanDate($Line['Date']).')</span> <a href="?Thread='.$Line['ID'].'">'.str_replace("\n", '',$Line['Text']).'</a> </div>';
+      $Output .= '<div><span style="float:right;"><strong>'.$Line['UserName'].
+    '</strong> - ('.HumanDate($Line['Date']).')</span> <a href="?Thread='.$Line['ID'].'">'.
+    str_replace("\n", '', htmlspecialchars($Line['Text'])).'</a></div>';
     $Output .= '</div>'.$PageList['Output'];
     return($Output);
@@ -191 +196 @@
     {
     $Thread = $DbResult->fetch_assoc();
-    $Output .= '<h3>'.$Thread['Text'].'</h3>';
+    $Output .= '<h3>'.htmlspecialchars($Thread['Text']).'</h3>';
 
     $DbResult = $this->System->Database->query('SELECT COUNT(*) FROM `ForumText` WHERE `Thread` = '.($_GET['Thread']*1).' '.$SearchQuery);
@@ -206 +211 @@
       else $edit = '';
       $Output .= '<div><span style="float:right;">'.$edit.' ('.HumanDate($Line['Date']).
-        ')</span><strong>'.$Line['UserName'].'</strong>: '.str_replace("\n", '<br />',$parser->qparse($Line['Text'])).'  </div> ';
+        ')</span><strong>'.$Line['UserName'].'</strong>: '.str_replace("\n", '<br />',
+        htmlspecialchars($parser->qparse($Line['Text']))).'  </div> ';
     }
     $Output .= '</div>'.$PageList['Output'];
@@ -313 +319 @@
       $Items[] = array
       (
-        'Title' =>  $DbRow['ThreadText'].' - '.$DbRow['UserName'].': ',
-        'Link' =>  'http://'.$this->System->Config['Web']['Host'].$this->System->Link('/forum/?Thread='.$DbRow['Thread']),
-        'Description' => $parser->qparse($DbRow['Text']),
+        'Title' => htmlspecialchars($DbRow['ThreadText']).' - '.$DbRow['UserName'].': ',
+        'Link' => 'http://'.$this->System->Config['Web']['Host'].$this->System->Link('/forum/?Thread='.$DbRow['Thread']),
+        'Description' => htmlspecialchars($parser->qparse($DbRow['Text'])),
         'Time' => $DbRow['UnixDate'],
       );

trunk/Modules/ShoutBox/ShoutBox.php

@@ -63 +63 @@
     {
       $SearchQuery = ' AND (`Text` LIKE "%'.$_SESSION['search'].'%")';
-      $Output .= '<div><a href="?search=">'.sprintf(T('Disable filter "%s"'), $_SESSION['search']).'</a></div>';
+      $Output .= '<div><a href="?search=">'.sprintf(T('Disable filter "%s"'), htmlentities($_SESSION['search'])).'</a></div>';
     } else $SearchQuery = '';
 

trunk/Modules/Team/Team.php

@@ -47 +47 @@
     {
       $SearchQuery = ' AND ((`Name` LIKE "%'.$_SESSION['search'].'%") OR (`Description` LIKE "%'.$_SESSION['search'].'%"))';
-      $Output .= '<div><a href="?search=">'.sprintf(T('Disable filter "%s"'), $_SESSION['search']).'</a></div>';
+      $Output .= '<div><a href="?search=">'.sprintf(T('Disable filter "%s"'), htmlspecialchars($_SESSION['search'])).'</a></div>';
     } else $SearchQuery = '';
 
@@ -75 +75 @@
     {
       $Output .= '<tr>'.
-        '<td><a href="?action=team&amp;id='.$Team['Id'].'">'.$Team['Name'].'</a></td>'.
-        '<td><a href="http://'.$Team['URL'].'">'.$Team['URL'].'</a></td>'.
+        '<td><a href="?action=team&amp;id='.$Team['Id'].'">'.htmlspecialchars($Team['Name']).'</a></td>'.
+        '<td><a href="http://'.$Team['URL'].'">'.htmlspecialchars($Team['URL']).'</a></td>'.
         '<td><a href="'.$this->System->Link('/user/?user='.$Team['Leader']).'">'.$Team['LeaderName'].'</a></td>'.
         '<td><a href="'.$this->System->Link('/users/?team='.$Team['Id']).'" title="Zobrazit členy týmu">'.$Team['NumberUser'].'</a></td>'.
@@ -157 +157 @@
           $Output = '<form action="?action=finish_modify&amp;id='.$_GET['id'].'" method="post">'.
             '<fieldset><legend>Nastavení týmu</legend>'.
-            '<table><tr><td>Jméno:</td><td><input type="text" name="Name" value="'.$Team['Name'].'"/></td></tr>'.
-            '<tr><td>Webové stránky:</td><td>http://<input type="text" name="URL" value="'.$Team['URL'].'"/></td></tr>'.
-            '<tr><td>Popis:</td><td><input type="text" name="Description" value="'.$Team['Description'].'"/></td></tr>'.
-            '<tr><td colspan="2"><input type="submit" value="Uložit" /></td></tr>'.
+            '<table><tr><td>Jméno:</td><td><input type="text" name="Name" value="'.htmlspecialchars($Team['Name']).'"/></td></tr>'.
+            '<tr><td>Webové stránky:</td><td>http://<input type="text" name="URL" value="'.htmlspecialchars($Team['URL']).'"/></td></tr>'.
+            '<tr><td>Popis:</td><td><input type="text" name="Description" value="'.htmlspecialchars($Team['Description']).'"/></td></tr>'.
+            '<tr><td colspan="2"><input type="submit" value="'.T('Save').'" /></td></tr>'.
             '</table></fieldset></form>';
         } else $Output = ShowMesage('Tým nenalezen.', MESSAGE_CRITICAL);
@@ -230 +230 @@
         } else $Leader = array('Name' => '', 'Id' => 0);
 
-        $Output .='<h3>'.T('Translation team').' '.$Team['Name'].'</h3><br />'.
-          T('Web pages').': <a href="http://'.$Team['URL'].'">'.$Team['URL'].'</a><br/>'.
+        $Output .='<h3>'.T('Translation team').' '.htmlspecialchars($Team['Name']).'</h3><br />'.
+          T('Web pages').': <a href="http://'.htmlspecialchars($Team['URL']).'">'.htmlspecialchars($Team['URL']).'</a><br/>'.
           T('Leader').': <a href="'.$this->System->Link('/user/?user='.$Leader['Id']).'">'.$Leader['Name'].'</a><br/>';
         if($Team['Description'] != '')
-          $Output .= T('Description').': '.$Team['Description'].'<br />';
+          $Output .= T('Description').': '.htmlspecialchars($Team['Description']).'<br />';
         $Output .= '<br />';
         //$Output .= '<a href="export/?team='.$Team['Id'].'">Exportovat překlad týmu</a> ';
@@ -241 +241 @@
         $XP = GetLevelMinMax($Team['AverageXP']);
         $Output .='<fieldset><legend>'.T('Statistics').'</legend>'.
-          T('Team member count').': <a href="'.$this->System->Link('/userlist/?team='.$Team['Id']).'" title="Zobrazit členy týmu">'.$Team['NumberUser'].'</a><br />'.
+          T('Team member count').': <a href="'.$this->System->Link('/users/?team='.$Team['Id']).'" title="Zobrazit členy týmu">'.$Team['NumberUser'].'</a><br />'.
           T('Team number of translated texts').': <strong>'.$Team['NumberTranslate'].'</strong><br />'.
           T('Average level of team members').': <strong>'.$XP['Level'].'</strong> '.T('experience').': '.ProgressBar(150, round($XP['XP'] / $XP['MaxXP'] * 100, 2), $XP['XP'].' / '.$XP['MaxXP']).'<br />'.

trunk/Modules/User/Options.php

@@ -30 +30 @@
       '<tr><td>'.T('Preferred client version').': </td><td>'.ClientVersionSelection($this->System->User->PreferredVersion).'</td></tr>'.
       '<tr><td>'.T('Public profile text').':</td><td>'.
-      '<textarea name="info" cols="60" rows="10">'.$this->System->User->Info.'</textarea></td></tr>';
+      '<textarea name="info" cols="60" rows="10">'.htmlspecialchars($this->System->User->Info).'</textarea></td></tr>';
 
     $Output .= '<tr><td>';
@@ -64 +64 @@
       $Output .= '<option value="'.$LineTeam['Id'].'"';
       if ($LineTeam['Id'] == $this->System->User->Team) $Output .= ' selected="selected"';
-      $Output .= '>'.$LineTeam['Name'].'</option>';
+      $Output .= '>'.htmlspecialchars($LineTeam['Name']).'</option>';
     }
     $Output .= '</select> <input type="submit" value="'.T('Enter').'" />

trunk/Modules/User/Profile.php

@@ -64 +64 @@
       if($this->System->User->Id != null) $Action .= ' <a href="'.$this->System->Link('/export/?Action=Clone&amp;ExportId='.$Export['Id']).'" onclick="return confirmAction(\''.T('Really clone item?').'\');">'.T('Clone').'</a>';
       $Output .= '<tr><td>'.HumanDate($Export['TimeCreate']).'</td>'.
-        '<td>'.$Export['Title'].'</td>'.
+        '<td>'.htmlspecialchars($Export['Title']).'</td>'.
         '<td>'.$Export['OutputType'].'</td>'.
         '<td><a href="'.$this->System->Link('/client-version/?action=item&amp;id='.$Export['ClientVersionId']).'">'.$Export['ClientVersion'].'</a></td>'.
@@ -109 +109 @@
       {
         $Output .= '<tr><td>'.HumanDate($DbRow['ModifyTime']).'</td>'.
-            '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['ID']).'">'.$DbRow['ID'].'</a></td>'.
-            '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['Take']).'">'.$DbRow['Take'].'</a></td>'.
-            '<td><a href="'.$this->System->Link('/TranslationList.php?group='.$DbRow['Group'].'&amp;action=filter').'">'.T($DbRow['GroupName']).'</a></td></tr>';
+          '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['ID']).'">'.$DbRow['ID'].'</a></td>'.
+          '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['Take']).'">'.$DbRow['Take'].'</a></td>'.
+          '<td><a href="'.$this->System->Link('/TranslationList.php?group='.$DbRow['Group'].'&amp;action=filter').'">'.T($DbRow['GroupName']).'</a></td></tr>';
       }
       $Output .= '</table>';
@@ -125 +125 @@
 
     $Output .= '<div class="shoutbox">';
-    $DbResult = $this->System->Database->query('SELECT `ForumText`.`Text`, `ForumText`.`Date`, `ForumText`.`UserName`,`ForumThread`.`Text` as `ThreadName`,`ForumText`.`Thread` FROM `ForumText` JOIN `ForumThread` ON `ForumThread`.`ID` = `ForumText`.`Thread` WHERE `ForumText`.`User` = '.($_GET['user'] * 1).' ORDER BY `ForumText`.`Date` DESC LIMIT '.$Count);
+    $DbResult = $this->System->Database->query('SELECT `ForumText`.`Text`, '.
+      '`ForumText`.`Date`, `ForumText`.`UserName`,`ForumThread`.`Text` AS `ThreadName`, '.
+      '`ForumText`.`Thread` FROM `ForumText` '.
+      'JOIN `ForumThread` ON `ForumThread`.`ID` = `ForumText`.`Thread` '.
+      'WHERE `ForumText`.`User` = '.($_GET['user'] * 1).' ORDER BY `ForumText`.`Date` DESC LIMIT '.$Count);
     while($Line = $DbResult->fetch_assoc())
-      $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.$Line['ThreadName'].'</a><br /><strong>'.$Line['UserName'].'</strong> ('.HumanDate($Line['Date']).'): '.$parser->qparse($Line['Text']).'</div> ';
+      $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.htmlspecialchars($Line['ThreadName']).'</a><br />'.
+        '<strong>'.$Line['UserName'].'</strong> ('.HumanDate($Line['Date']).'): '.htmlspecialchars($parser->qparse($Line['Text'])).'</div> ';
     $Output .= '</div>';
     return($Output);
@@ -159 +164 @@
         T('Level:').' <strong>'.$XP['Level'].'</strong> '.T('experience:').' '.ProgressBar(150, round($XP['XP'] / $XP['MaxXP'] * 100, 2), $XP['XP'].' / '.$XP['MaxXP']).'<br/>';
       if($UserLine['TeamName'] != '')
-        $Output .= T('Member of team:').' <a href="'.$this->System->Link('/team/?action=team&amp;id='.$UserLine['Team']).'"><strong>'.$UserLine['TeamName'].'</strong></a><br />';
+        $Output .= T('Member of team:').' <a href="'.$this->System->Link('/team/?action=team&amp;id='.$UserLine['Team']).'"><strong>'.htmlspecialchars($UserLine['TeamName']).'</strong></a><br />';
 
       // User tags
@@ -175 +180 @@
       }
 
-    $Output .= '<br /><fieldset><legend>'.T('Profile text:').'</legend>'.str_replace("\n", '<br/>', $UserLine['Info']).'</fieldset><br/>';
+    $Output .= '<br /><fieldset><legend>'.T('Profile text:').'</legend>'.htmlspecialchars(str_replace("\n", '<br/>', $UserLine['Info'])).'</fieldset><br/>';
 
     $Output .= '<table class="Home"><tr>'.
@@ -183 +188 @@
     $Output .= '<br />'.$this->ShowLastForum().'<br />';
     if($this->System->User->Licence(LICENCE_MODERATOR))
-   {
+    {
       $Output .= '<fieldset><legend>Moderování</legend>';
 
       $Output .= '<form action="?user='.($_GET['user'] * 1).'" method="post">Přidání tagu uživateli:<br />';
-      $Query = 'SELECT * FROM UserTagType';
+      $Query = 'SELECT * FROM `UserTagType`';
       $DbResult = $this->Database->query($Query);
       while ($UserTag = $DbResult->fetch_array()) {

trunk/Modules/User/Registration.php

@@ -19 +19 @@
     <fieldset><legend>'.T('New user registration').'</legend>
     <table>
-    <tr><td colspan="2">'.T('Please read carefully <a href="'.$this->System->Link('/info/').'">translation guidelines</a> and follow them. Translate with diacritics!').'<br/><br/></td></tr>
+    <tr><td colspan="2">'.sprintf(T('Please read carefully %s and follow them. Translate with diacritics!'),
+      '<a href="'.$this->System->Link('/info/').'">'.T('translation guidelines').'</a>').
+      '<br/><br/></td></tr>
     <tr>
     <th class="Left">'.T('Are you human?').'</th>';
@@ -27 +29 @@
     </tr>
     <tr>
-    <th class="Left">'.T('Name:').'</th>
+    <th class="Left">'.T('Name').':</th>
     <td><input type="text" name="user" value="'.$UserName.'"/></td>
     </tr>
     <tr>
-    <th class="Left">'.T('Password:').'</th>
+    <th class="Left">'.T('Password').':</th>
     <td><input type="password" name="pass" /></td>
     </tr>
     <tr>
-    <th class="Left">'.T('Password confirmation:').'</th>
+    <th class="Left">'.T('Password confirmation').':</th>
     <td><input type="password" name="pass2" /></td>
     </tr>
     <tr>
-    <th class="Left">'.T('E-mail:').'</th>
+    <th class="Left">'.T('E-mail').':</th>
     <td><input type="text" name="Email" value="'.$Email.'"/></td>
     </tr>
     <tr>
-    <th class="Left">'.T('I will translate normally to:').'</th>
+    <th class="Left">'.T('I will translate normally to').':</th>
     <td>'.WriteLanguages($Language).'</td>
     </tr>
     <tr>
-    <th class="Left">'.T('I belong to team:').'</th>';
+    <th class="Left">'.T('I belong to team').':</th>';
     if($Team == '') $Selected = ' selected="selected"';
       else $Selected = '';
@@ -56 +58 @@
       if($Team == $Line['Id']) $Selected = ' selected="selected"';
       else $Selected = '';
-      $Output .= '<option value="0'.$Line['Id'].'"'.$Selected.'>'.$Line['Name'].'</option>';
+      $Output .= '<option value="0'.$Line['Id'].'"'.$Selected.'>'.htmlspecialchars($Line['Name']).'</option>';
     }
     $Output .= '</select>';
     $Output .= '</td></tr>'.
-      '<tr><th class="Left">'.T('Preferred client version:').'</th><td>'.ClientVersionSelection('').'</td></tr>';
+      '<tr><th class="Left">'.T('Preferred client version').':</th><td>'.ClientVersionSelection('').'</td></tr>';
 
     $Query = 'SELECT * FROM UserTagType';
     $DbResult = $this->Database->query($Query);
     $Output .= '<tr><th class="Left">'.
-      T('Select rules which you will apply during translation:').'</th><td>';
+      T('Select rules which you will apply during translation').':</th><td>';
     while ($UserTag = $DbResult->fetch_array())
     {

trunk/Modules/User/UserList.php

@@ -20 +20 @@
     {
       $TeamId = $_GET['team'] * 1;
-      $DbResult = $this->Database->select('Team', 'Name', 'Id='.$TeamId);
+      $DbResult = $this->Database->select('Team', 'Name', '`Id`='.$TeamId);
       if($DbResult->num_rows > 0)
       {
         $Team = $DbResult->fetch_assoc();
-        $Output .= '<h3>'.sprintf(T('Users in team %s'), $Team['Name']).'</h3>';
+        $Output .= '<h3>'.sprintf(T('Users in team %s'), htmlspecialchars($Team['Name'])).'</h3>';
         $TeamFilter = ' AND (`Team`='.$_GET['team'].')';
       } else {

trunk/locale/cs.php

@@ -286 +286 @@
       'Select rules which you will apply during translation' => 'Vyberte pravidla, kterými se při překladu chcete řídit',
       'Register' => 'Registrovat',
-      'Please read carefully <a href="info.php">translation guidelines</a> and follow them. Translate with diacritics!' => 'Pozorně si přečtěte <a href="info.php">pokyny k překladu</a> a řiďte se jimi. Překládat je nutno včetně háčků a čárek!',
+      'Please read carefully %s and follow them. Translate with diacritics!' => 'Pozorně si přečtěte %s a řiďte se jimi. Překládat je nutno včetně háčků a čárek!',
+      'translation guidelines' => 'pokyny k překladu',
       'Untranslated' => 'Nepřeložené',
       'Own' => 'Vlastní',
@@ -497 +498 @@
         'edit' => 'upravit',
         'Post' => 'Příspěvek',
+        'Export %s of translator %s' => 'Export %s překladatele %s',
       ),
       'URL' => array(