Ignore:
Timestamp:
Jan 17, 2016, 10:07:13 PM (9 years ago)
Author:
chronos
Message:
  • Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Modules/Export/Page.php

    r848 r851  
    7070      $Output .= '<tr><td>'.HumanDate($Export['TimeCreate']).'</td>'.
    7171          '<td><a href="'.$this->System->Link('/user/?user='.$Export['User']).'">'.$Export['UserName'].'</a></td>'.
    72           '<td>'.$Export['Title'].'</td>'.
     72          '<td>'.htmlspecialchars($Export['Title']).'</td>'.
    7373          '<td>'.$Export['OutputType'].'</td>'.
    7474          '<td><a href="'.$this->System->Link('/client-version/?action=item&amp;id='.$Export['ClientVersionId']).'">'.$Export['ClientVersion'].'</a></td>'.
     
    304304        $Output .= '<input type="hidden" name="Operation" value="Save"/>'.
    305305            '<tr><td colspan="2">';
    306         if($Editable) $Output .= ' <input type="submit" value="Uložit" '.$DisabledInput[$Editable].'/>';
     306        if($Editable) $Output .= ' <input type="submit" value="'.T('Save').'" '.$DisabledInput[$Editable].'/>';
    307307        $Output .= ' <a href="?Action=Clone&amp;ExportId='.$Export['Id'].'" onclick="return confirmAction(\''.T('Realy clone item?').'\');">'.T('Clone').'</a> ';
    308308        if($this->System->User->Licence(LICENCE_ADMIN))
     
    310310        $Output .= '</td></tr>';
    311311      }
    312       $Output .= '<tr><td>'.T('Identification').':</td><td><input type="text" style="width: 400px" name="Title" value="'.$Export['Title'].'"'.$DisabledInput[$Editable].'/></td></tr>'.
    313           '<tr><td>Popis:</td><td><textarea name="Description" cols="54" rows="10"'.$DisabledTextArea[$Editable].'>'.$Export['Description'].'</textarea></td></tr>'.
     312      $Output .= '<tr><td>'.T('Identification').':</td><td><input type="text" style="width: 400px" name="Title" value="'.htmlspecialchars($Export['Title']).'"'.$DisabledInput[$Editable].'/></td></tr>'.
     313          '<tr><td>'.T('Description').':</td><td><textarea name="Description" cols="54" rows="10"'.$DisabledTextArea[$Editable].'>'.htmlspecialchars($Export['Description']).'</textarea></td></tr>'.
    314314          '<tr><td>'.T('With diacritics').'</td><td><input type="checkbox" name="WithDiacritic" '.$WithDiacritic.''.$DisabledInput[$Editable].'/></td></tr>'.
    315315          '</table></form>';
     
    752752        $DbResult = $this->System->Database->query('SELECT * FROM `User` WHERE `ID`='.$Export['User']);
    753753        $UserLine = $DbResult->fetch_assoc();
    754         $Output .= 'Export <strong><a href="?Action=View&amp;Tab=6&amp;ExportId='.$Export['Id'].'">'.$_GET['ExportId'].'</a></strong> překladatele <strong>'.$UserLine['Name'].'</strong> s označením <strong>'.$Export['Title'].'</strong>';
    755         $Output .= ShowTabs(array(T('General'), T('Translators'), T('Translations'), T('Languages'), T('Format'), T('Version'), T('Statistic'), T('Output')));
     754        $Output .= sprintf(T('Export %s of translator %s'),
     755          '<strong><a href="?Action=View&amp;Tab=6&amp;ExportId='.$Export['Id'].'">'.htmlspecialchars($Export['Title']).'</a></strong>',
     756          '<strong>'.$UserLine['Name'].'</strong>');
     757        $Output .= ShowTabs(array(T('General'), T('Translators'),
     758          T('Translations'), T('Languages'), T('Format'), T('Version'),
     759          T('Statistic'), T('Output')));
    756760        $Output .= '<div id="content">';
    757761        if($_SESSION['Tab'] == TAB_GENERAL) $Output .= $this->ExportViewGeneral();
Note: See TracChangeset for help on using the changeset viewer.