Ignore:
Timestamp:
Jan 17, 2016, 10:07:13 PM (9 years ago)
Author:
chronos
Message:
  • Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Modules/Dictionary/Dictionary.php

    r850 r851  
    170170          '<input type="hidden" name="id"  value="'.$_GET['id'].'"/>'.
    171171          '<table><tr><td>'.
    172           'Původní anglické slovo:</td><td><input type="text" name="Original" value="'.$DbRow2['Text'].'" /></td></tr>'.
    173           '<tr><td>Přeložené:</td><td><input type="text" name="Translated"  value="'.$DbRow['Text'].'" /></td></tr>'.
     172          'Původní anglické slovo:</td><td><input type="text" name="Original" value="'.htmlspecialchars($DbRow2['Text']).'" /></td></tr>'.
     173          '<tr><td>Přeložené:</td><td><input type="text" name="Translated" value="'.htmlspecialchars($DbRow['Text']).'" /></td></tr>'.
    174174          '<tr><td>'.T('Language').':</td><td>'.WriteLanguages($DbRow['Language']).'</td></tr>'.
    175           '<tr><td>'.T('Description').':</td><td><input type="text" name="Description"  value="'.$DbRow['Description'].'" /></td></tr>'.
     175          '<tr><td>'.T('Description').':</td><td><input type="text" name="Description"  value="'.htmlspecialchars($DbRow['Description']).'" /></td></tr>'.
    176176          '<tr><td colspan="2"><input type="submit" value="'.T('Save').'" /></td></tr>'.
    177177          '</td></tr></table>'.
     
    271271
    272272    if(is_numeric($_SESSION['language'])) $LanguageName = $LanguageList[$_SESSION['language']]['Name'];
    273       else $LanguageName = 'Překlad';
     273      else $LanguageName = T('Translation');
    274274    $TableColumns = array(
    275275      array('Name' => 'Original', 'Title' => T('English')),
     
    288288    {
    289289      $Output .= '<tr>'.
    290         '<td>'.$Line['Original'].'</td>'.
    291         '<td><strong>'.$Line['Translated'].'</strong></td>';
     290        '<td>'.htmlspecialchars($Line['Original']).'</td>'.
     291        '<td><strong>'.htmlspecialchars($Line['Translated']).'</strong></td>';
    292292      if(!is_numeric($_SESSION['language'])) $Output .= '<td>'.T($Line['LangName']).'</td>';
    293       $Output .= '<td>'.$Line['Description'].'</td>'.
     293      $Output .= '<td>'.htmlspecialchars($Line['Description']).'</td>'.
    294294        '<td><a href="'.$this->System->Link('/user/?user='.$Line['UserId']).'">'.
    295295        $Line['UserName'].'</a></td>';
Note: See TracChangeset for help on using the changeset viewer.