Changeset 851 for trunk/Modules/User


Ignore:
Timestamp:
Jan 17, 2016, 10:07:13 PM (9 years ago)
Author:
chronos
Message:
  • Fixed: Use htmlspecialchars function for user inserted content to avoid breaking page HTML structure. Added for forum, teams, dictionary and profile text.
Location:
trunk/Modules/User
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Modules/User/Options.php

    r848 r851  
    3030      '<tr><td>'.T('Preferred client version').': </td><td>'.ClientVersionSelection($this->System->User->PreferredVersion).'</td></tr>'.
    3131      '<tr><td>'.T('Public profile text').':</td><td>'.
    32       '<textarea name="info" cols="60" rows="10">'.$this->System->User->Info.'</textarea></td></tr>';
     32      '<textarea name="info" cols="60" rows="10">'.htmlspecialchars($this->System->User->Info).'</textarea></td></tr>';
    3333
    3434    $Output .= '<tr><td>';
     
    6464      $Output .= '<option value="'.$LineTeam['Id'].'"';
    6565      if ($LineTeam['Id'] == $this->System->User->Team) $Output .= ' selected="selected"';
    66       $Output .= '>'.$LineTeam['Name'].'</option>';
     66      $Output .= '>'.htmlspecialchars($LineTeam['Name']).'</option>';
    6767    }
    6868    $Output .= '</select> <input type="submit" value="'.T('Enter').'" />
  • trunk/Modules/User/Profile.php

    r850 r851  
    6464      if($this->System->User->Id != null) $Action .= ' <a href="'.$this->System->Link('/export/?Action=Clone&amp;ExportId='.$Export['Id']).'" onclick="return confirmAction(\''.T('Really clone item?').'\');">'.T('Clone').'</a>';
    6565      $Output .= '<tr><td>'.HumanDate($Export['TimeCreate']).'</td>'.
    66         '<td>'.$Export['Title'].'</td>'.
     66        '<td>'.htmlspecialchars($Export['Title']).'</td>'.
    6767        '<td>'.$Export['OutputType'].'</td>'.
    6868        '<td><a href="'.$this->System->Link('/client-version/?action=item&amp;id='.$Export['ClientVersionId']).'">'.$Export['ClientVersion'].'</a></td>'.
     
    109109      {
    110110        $Output .= '<tr><td>'.HumanDate($DbRow['ModifyTime']).'</td>'.
    111             '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['ID']).'">'.$DbRow['ID'].'</a></td>'.
    112             '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['Take']).'">'.$DbRow['Take'].'</a></td>'.
    113             '<td><a href="'.$this->System->Link('/TranslationList.php?group='.$DbRow['Group'].'&amp;action=filter').'">'.T($DbRow['GroupName']).'</a></td></tr>';
     111          '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['ID']).'">'.$DbRow['ID'].'</a></td>'.
     112          '<td><a href="'.$this->System->Link('/form.php?group='.$DbRow['Group'].'&amp;ID='.$DbRow['Take']).'">'.$DbRow['Take'].'</a></td>'.
     113          '<td><a href="'.$this->System->Link('/TranslationList.php?group='.$DbRow['Group'].'&amp;action=filter').'">'.T($DbRow['GroupName']).'</a></td></tr>';
    114114      }
    115115      $Output .= '</table>';
     
    125125
    126126    $Output .= '<div class="shoutbox">';
    127     $DbResult = $this->System->Database->query('SELECT `ForumText`.`Text`, `ForumText`.`Date`, `ForumText`.`UserName`,`ForumThread`.`Text` as `ThreadName`,`ForumText`.`Thread` FROM `ForumText` JOIN `ForumThread` ON `ForumThread`.`ID` = `ForumText`.`Thread` WHERE `ForumText`.`User` = '.($_GET['user'] * 1).' ORDER BY `ForumText`.`Date` DESC LIMIT '.$Count);
     127    $DbResult = $this->System->Database->query('SELECT `ForumText`.`Text`, '.
     128      '`ForumText`.`Date`, `ForumText`.`UserName`,`ForumThread`.`Text` AS `ThreadName`, '.
     129      '`ForumText`.`Thread` FROM `ForumText` '.
     130      'JOIN `ForumThread` ON `ForumThread`.`ID` = `ForumText`.`Thread` '.
     131      'WHERE `ForumText`.`User` = '.($_GET['user'] * 1).' ORDER BY `ForumText`.`Date` DESC LIMIT '.$Count);
    128132    while($Line = $DbResult->fetch_assoc())
    129       $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.$Line['ThreadName'].'</a><br /><strong>'.$Line['UserName'].'</strong> ('.HumanDate($Line['Date']).'): '.$parser->qparse($Line['Text']).'</div> ';
     133      $Output .= '<div><a href="'.$this->System->Link('/forum/?Thread='.$Line['Thread']).'">'.htmlspecialchars($Line['ThreadName']).'</a><br />'.
     134        '<strong>'.$Line['UserName'].'</strong> ('.HumanDate($Line['Date']).'): '.htmlspecialchars($parser->qparse($Line['Text'])).'</div> ';
    130135    $Output .= '</div>';
    131136    return($Output);
     
    159164        T('Level:').' <strong>'.$XP['Level'].'</strong> '.T('experience:').' '.ProgressBar(150, round($XP['XP'] / $XP['MaxXP'] * 100, 2), $XP['XP'].' / '.$XP['MaxXP']).'<br/>';
    160165      if($UserLine['TeamName'] != '')
    161         $Output .= T('Member of team:').' <a href="'.$this->System->Link('/team/?action=team&amp;id='.$UserLine['Team']).'"><strong>'.$UserLine['TeamName'].'</strong></a><br />';
     166        $Output .= T('Member of team:').' <a href="'.$this->System->Link('/team/?action=team&amp;id='.$UserLine['Team']).'"><strong>'.htmlspecialchars($UserLine['TeamName']).'</strong></a><br />';
    162167
    163168      // User tags
     
    175180      }
    176181
    177     $Output .= '<br /><fieldset><legend>'.T('Profile text:').'</legend>'.str_replace("\n", '<br/>', $UserLine['Info']).'</fieldset><br/>';
     182    $Output .= '<br /><fieldset><legend>'.T('Profile text:').'</legend>'.htmlspecialchars(str_replace("\n", '<br/>', $UserLine['Info'])).'</fieldset><br/>';
    178183
    179184    $Output .= '<table class="Home"><tr>'.
     
    183188    $Output .= '<br />'.$this->ShowLastForum().'<br />';
    184189    if($this->System->User->Licence(LICENCE_MODERATOR))
    185    {
     190    {
    186191      $Output .= '<fieldset><legend>Moderování</legend>';
    187192
    188193      $Output .= '<form action="?user='.($_GET['user'] * 1).'" method="post">Přidání tagu uživateli:<br />';
    189       $Query = 'SELECT * FROM UserTagType';
     194      $Query = 'SELECT * FROM `UserTagType`';
    190195      $DbResult = $this->Database->query($Query);
    191196      while ($UserTag = $DbResult->fetch_array()) {
  • trunk/Modules/User/Registration.php

    r844 r851  
    1919    <fieldset><legend>'.T('New user registration').'</legend>
    2020    <table>
    21     <tr><td colspan="2">'.T('Please read carefully <a href="'.$this->System->Link('/info/').'">translation guidelines</a> and follow them. Translate with diacritics!').'<br/><br/></td></tr>
     21    <tr><td colspan="2">'.sprintf(T('Please read carefully %s and follow them. Translate with diacritics!'),
     22      '<a href="'.$this->System->Link('/info/').'">'.T('translation guidelines').'</a>').
     23      '<br/><br/></td></tr>
    2224    <tr>
    2325    <th class="Left">'.T('Are you human?').'</th>';
     
    2729    </tr>
    2830    <tr>
    29     <th class="Left">'.T('Name:').'</th>
     31    <th class="Left">'.T('Name').':</th>
    3032    <td><input type="text" name="user" value="'.$UserName.'"/></td>
    3133    </tr>
    3234    <tr>
    33     <th class="Left">'.T('Password:').'</th>
     35    <th class="Left">'.T('Password').':</th>
    3436    <td><input type="password" name="pass" /></td>
    3537    </tr>
    3638    <tr>
    37     <th class="Left">'.T('Password confirmation:').'</th>
     39    <th class="Left">'.T('Password confirmation').':</th>
    3840    <td><input type="password" name="pass2" /></td>
    3941    </tr>
    4042    <tr>
    41     <th class="Left">'.T('E-mail:').'</th>
     43    <th class="Left">'.T('E-mail').':</th>
    4244    <td><input type="text" name="Email" value="'.$Email.'"/></td>
    4345    </tr>
    4446    <tr>
    45     <th class="Left">'.T('I will translate normally to:').'</th>
     47    <th class="Left">'.T('I will translate normally to').':</th>
    4648    <td>'.WriteLanguages($Language).'</td>
    4749    </tr>
    4850    <tr>
    49     <th class="Left">'.T('I belong to team:').'</th>';
     51    <th class="Left">'.T('I belong to team').':</th>';
    5052    if($Team == '') $Selected = ' selected="selected"';
    5153      else $Selected = '';
     
    5658      if($Team == $Line['Id']) $Selected = ' selected="selected"';
    5759      else $Selected = '';
    58       $Output .= '<option value="0'.$Line['Id'].'"'.$Selected.'>'.$Line['Name'].'</option>';
     60      $Output .= '<option value="0'.$Line['Id'].'"'.$Selected.'>'.htmlspecialchars($Line['Name']).'</option>';
    5961    }
    6062    $Output .= '</select>';
    6163    $Output .= '</td></tr>'.
    62       '<tr><th class="Left">'.T('Preferred client version:').'</th><td>'.ClientVersionSelection('').'</td></tr>';
     64      '<tr><th class="Left">'.T('Preferred client version').':</th><td>'.ClientVersionSelection('').'</td></tr>';
    6365
    6466    $Query = 'SELECT * FROM UserTagType';
    6567    $DbResult = $this->Database->query($Query);
    6668    $Output .= '<tr><th class="Left">'.
    67       T('Select rules which you will apply during translation:').'</th><td>';
     69      T('Select rules which you will apply during translation').':</th><td>';
    6870    while ($UserTag = $DbResult->fetch_array())
    6971    {
  • trunk/Modules/User/UserList.php

    r843 r851  
    2020    {
    2121      $TeamId = $_GET['team'] * 1;
    22       $DbResult = $this->Database->select('Team', 'Name', 'Id='.$TeamId);
     22      $DbResult = $this->Database->select('Team', 'Name', '`Id`='.$TeamId);
    2323      if($DbResult->num_rows > 0)
    2424      {
    2525        $Team = $DbResult->fetch_assoc();
    26         $Output .= '<h3>'.sprintf(T('Users in team %s'), $Team['Name']).'</h3>';
     26        $Output .= '<h3>'.sprintf(T('Users in team %s'), htmlspecialchars($Team['Name'])).'</h3>';
    2727        $TeamFilter = ' AND (`Team`='.$_GET['team'].')';
    2828      } else {
Note: See TracChangeset for help on using the changeset viewer.