Skip to content
This repository was archived by the owner on Dec 2, 2022. It is now read-only.

Commit 11f2be0

Browse files
author
tgloeggl
committed
fixes #3238, replace all occurences of htmlspecialchars with htmlReady, omitting the vendor-area
git-svn-id: svn://develop.studip.de/studip/trunk@25796 c5b85792-5220-0410-ad23-ed5b6b8ad999
1 parent 5e0f1eb commit 11f2be0

34 files changed

+72
-72
lines changed

app/controllers/content_element.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ function before_filter(&$action, &$args) {
3131

3232
function get_formatted_action(){
3333
return $this->render_json(array(
34-
'title' => studip_utf8encode(htmlspecialchars($this->element->getTitle())),
34+
'title' => studip_utf8encode(htmlReady($this->element->getTitle())),
3535
'content' => studip_utf8encode($this->element->getAbstractHtml())
3636
)
3737
);

app/views/admin/plugin/default_activation.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
<? endif ?>
99

1010
<h3>
11-
<?= _('Standard-Aktivierung in Veranstaltungen') ?>: <?= htmlspecialchars($plugin_name) ?>
11+
<?= _('Standard-Aktivierung in Veranstaltungen') ?>: <?= htmlReady($plugin_name) ?>
1212
</h3>
1313

1414
<form action="<?= $controller->url_for('admin/plugin/save_default_activation', $plugin_id) ?>" method="post">

app/views/admin/plugin/index.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -54,15 +54,15 @@
5454
</td>
5555
<td>
5656
<a href="<?= $controller->url_for('admin/plugin/manifest', $pluginid) ?>">
57-
<?= htmlspecialchars($plugin['name']) ?>
57+
<?= htmlReady($plugin['name']) ?>
5858
<?= $plugin['core'] ? '<i>('. _('Kern-Plugin') . ')</i>' : '' ?>
5959
</a>
6060
</td>
6161
<td <?= $plugin['enabled'] ? '' : 'class="quiet"' ?>>
6262
<?= join(', ', $plugin['type']) ?>
6363
</td>
6464
<td <?= $plugin['enabled'] ? '' : 'class="quiet"' ?>>
65-
<?= htmlspecialchars($update_info[$pluginid]['version']) ?>
65+
<?= htmlReady($update_info[$pluginid]['version']) ?>
6666
</td>
6767
<td>
6868
<input name="position_<?= $pluginid ?>" type="text" size="2" value="<?= $plugin['position'] ?>" <?= $plugin['enabled'] ? '' : 'disabled' ?>>

app/views/admin/plugin/manifest.php

+4-4
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
<table>
1111
<tr>
1212
<td>Name:</td>
13-
<td><?= htmlspecialchars($plugin['name']) ?></td>
13+
<td><?= htmlReady($plugin['name']) ?></td>
1414
</tr>
1515
<tr>
1616
<td>Klasse:</td>
@@ -22,15 +22,15 @@
2222
</tr>
2323
<tr>
2424
<td>Origin:</td>
25-
<td><?= htmlspecialchars($manifest['origin']) ?></td>
25+
<td><?= htmlReady($manifest['origin']) ?></td>
2626
</tr>
2727
<tr>
2828
<td>Version:</td>
29-
<td><?= htmlspecialchars($manifest['version']) ?></td>
29+
<td><?= htmlReady($manifest['version']) ?></td>
3030
</tr>
3131
<tr>
3232
<td>Beschreibung:</td>
33-
<td><?= htmlspecialchars($manifest['description']) ?></td>
33+
<td><?= htmlReady($manifest['description']) ?></td>
3434
</tr>
3535
</table>
3636

app/views/admin/plugin/search.php

+8-8
Original file line numberDiff line numberDiff line change
@@ -37,28 +37,28 @@
3737
<td class="plugin_image">
3838
<? if ($plugin['image']): ?>
3939
<? if ($plugin['plugin_url']): ?>
40-
<a href="<?= htmlspecialchars($plugin['plugin_url']) ?>" target="_blank">
41-
<img src="<?= htmlspecialchars($plugin['image']) ?>" class="plugin_preview">
40+
<a href="<?= htmlReady($plugin['plugin_url']) ?>" target="_blank">
41+
<img src="<?= htmlReady($plugin['image']) ?>" class="plugin_preview">
4242
</a>
4343
<? else: ?>
44-
<img src="<?= htmlspecialchars($plugin['image']) ?>" class="plugin_preview">
44+
<img src="<?= htmlReady($plugin['image']) ?>" class="plugin_preview">
4545
<? endif ?>
4646
<? endif ?>
4747
</td>
4848
<td>
4949
<? if ($plugin['plugin_url']): ?>
50-
<a href="<?= htmlspecialchars($plugin['plugin_url']) ?>" target="_blank">
51-
<b><?= htmlspecialchars($name) ?></b>
50+
<a href="<?= htmlReady($plugin['plugin_url']) ?>" target="_blank">
51+
<b><?= htmlReady($name) ?></b>
5252
</a>
5353
<? else: ?>
54-
<b><?= htmlspecialchars($name) ?></b>
54+
<b><?= htmlReady($name) ?></b>
5555
<? endif ?>
5656
<p>
57-
<?= htmlspecialchars($plugin['description']) ?>
57+
<?= htmlReady($plugin['description']) ?>
5858
</p>
5959
</td>
6060
<td>
61-
<?= htmlspecialchars($plugin['version']) ?>
61+
<?= htmlReady($plugin['version']) ?>
6262
</td>
6363
<td class="plugin_score">
6464
<? for ($i = 0; $i < $plugin['score']; ++$i): ?>

app/views/admin/plugin/update_info.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
<div>
1616
<label>
1717
<input type="checkbox" name="update[]" value="<?= $pluginid ?>" checked>
18-
<?= htmlspecialchars(sprintf(_('%s: Version %s installieren'), $plugin['name'], $update_info[$pluginid]['update']['version'])) ?>
18+
<?= htmlReady(sprintf(_('%s: Version %s installieren'), $plugin['name'], $update_info[$pluginid]['update']['version'])) ?>
1919
</label>
2020
</div>
2121
<? endif ?>

app/views/admin/role/assign_plugin_role.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
<select name="pluginid" style="min-width: 300px;">
1515
<? foreach ($plugins as $plugin): ?>
1616
<option value="<?= $plugin['id'] ?>" <?= $plugin['id'] == $pluginid ? 'selected' : '' ?>>
17-
<?= htmlspecialchars($plugin['name']) ?>
17+
<?= htmlReady($plugin['name']) ?>
1818
</option>
1919
<? endforeach ?>
2020
</select>

app/views/admin/role/show_role.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@
7676
</td>
7777
<td>
7878
<a href="<?= $controller->url_for('admin/role/assign_plugin_role', $plugin['id']) ?>">
79-
<?= htmlspecialchars($plugin['name']) ?>
79+
<?= htmlReady($plugin['name']) ?>
8080
</a>
8181
</td>
8282
<td>

lib/classes/URLHelper.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -145,7 +145,7 @@ static function removeLinkParam ($name)
145145
*/
146146
static function getLink ($url = '', $params = NULL, $ignore_registered_params = false)
147147
{
148-
return htmlspecialchars(self::getURL($url, $params, $ignore_registered_params));
148+
return htmlReady(self::getURL($url, $params, $ignore_registered_params));
149149
}
150150

151151
/**

lib/elearning/Ilias3Soap.class.php

+7-7
Original file line numberDiff line numberDiff line change
@@ -442,8 +442,8 @@ function getReferenceByTitle($key, $type = "")
442442
function addObject($object_data, $ref_id)
443443
{
444444
$type = $object_data["type"];
445-
$title = htmlspecialchars(studip_utf8encode($object_data["title"]));
446-
$description = htmlspecialchars(studip_utf8encode($object_data["description"]));
445+
$title = htmlReady(studip_utf8encode($object_data["title"]));
446+
$description = htmlReady(studip_utf8encode($object_data["description"]));
447447

448448
$xml = "<!DOCTYPE Objects SYSTEM \"http://www.ilias.uni-koeln.de/download/dtd/ilias_object_0_1.dtd\">
449449
<Objects>
@@ -655,8 +655,8 @@ function getLocalRoles($course_id)
655655
function addRole($role_data, $ref_id)
656656
{
657657
$type = "role";
658-
$title = htmlspecialchars(studip_utf8encode($role_data["title"]));
659-
$description = htmlspecialchars(studip_utf8encode($role_data["description"]));
658+
$title = htmlReady(studip_utf8encode($role_data["title"]));
659+
$description = htmlReady(studip_utf8encode($role_data["description"]));
660660

661661
$xml = "<!DOCTYPE Objects SYSTEM \"http://www.ilias.uni-koeln.de/download/dtd/ilias_object_0_1.dtd\">
662662
<Objects>
@@ -695,8 +695,8 @@ function addRole($role_data, $ref_id)
695695
function addRoleFromTemplate($role_data, $ref_id, $role_id)
696696
{
697697
$type = "role";
698-
$title = htmlspecialchars(studip_utf8encode($role_data["title"]));
699-
$description = htmlspecialchars(studip_utf8encode($role_data["description"]));
698+
$title = htmlReady(studip_utf8encode($role_data["title"]));
699+
$description = htmlReady(studip_utf8encode($role_data["description"]));
700700

701701
$xml = "<!DOCTYPE Objects SYSTEM \"http://www.ilias.uni-koeln.de/download/dtd/ilias_object_0_1.dtd\">
702702
<Objects>
@@ -978,7 +978,7 @@ function addMember($user_id, $type, $course_id)
978978
function addCourse($course_data, $ref_id)
979979
{
980980
foreach($course_data as $key => $value)
981-
$course_data[$key] = htmlspecialchars(studip_utf8encode($course_data[$key]));
981+
$course_data[$key] = htmlReady(studip_utf8encode($course_data[$key]));
982982

983983
$xml = $this->getCourseXML($course_data);
984984
$param = array(

lib/elearning/Ilias4Soap.class.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ function Ilias4Soap($cms)
5050
function addUser($user_data, $role_id)
5151
{
5252
foreach($user_data as $key => $value) {
53-
$user_data[$key] = htmlspecialchars(studip_utf8encode($user_data[$key]));
53+
$user_data[$key] = htmlReady(studip_utf8encode($user_data[$key]));
5454
}
5555

5656
$usr_xml = "<Users>

lib/evaluation/classes/EvaluationTreeShowUser.class.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -521,7 +521,7 @@ function getQuestionContent( $question, $group ) {
521521
"<textarea".
522522
" name=\"freetexts[".$question->getObjectID()."]\"".
523523
" cols=\"60\" rows=\"".$answer->getRows()."\">".
524-
htmlspecialchars($freetexts[$question->getObjectID()]).
524+
htmlReady($freetexts[$question->getObjectID()]).
525525
"</textarea>".
526526
"</td>\n";
527527
}

lib/evaluation/classes/HTMLempty.class.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ function createContent ($indent = 0) {
166166
$str .= "<".$this->getName();
167167
$attrib = $this->getAttr();
168168
foreach($attrib as $name => $value) {
169-
$str .= ' '.$name.'="'.htmlspecialchars($value).'"';
169+
$str .= ' '.$name.'="'.htmlReady($value).'"';
170170
}
171171
$str .= $this->_string;
172172
$str .= ">\n";

lib/phplib/layout_html.inc

+2-2
Original file line numberDiff line numberDiff line change
@@ -668,7 +668,7 @@ class Layout {
668668
if ($HVSPACE) {
669669
$r.=sprintf($this->picture['HVSPACE'],$HVSPACE,$HVSPACE);
670670
}
671-
$r.=sprintf($this->picture['ALT'],HTMLSpecialChars($ALT));
671+
$r.=sprintf($this->picture['ALT'],htmlReady($ALT));
672672
$r.=sprintf($this->picture['WIDTH'],$WH[0]);
673673
$r.=sprintf($this->picture['HEIGHT'],$WH[1]);
674674

@@ -845,7 +845,7 @@ $js
845845
function _debug ($fnname,&$val) {
846846
if ($this->Debug) {
847847
echo "<B>$fnname</B>:<BR><TT>".
848-
nl2br(HTMLSpecialChars($val)) .
848+
nl2br(htmlReady($val)) .
849849
"</TT><BR>";
850850
}
851851
}

lib/phplib/of_text.inc

+2-2
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,9 @@ class of_text extends of_element {
2727
$str = "";
2828

2929
if (is_array($this->value))
30-
$v = htmlspecialchars($this->value[$which]);
30+
$v = htmlReady($this->value[$which]);
3131
else
32-
$v = htmlspecialchars($this->value);
32+
$v = htmlReady($this->value);
3333
$n = $this->name . ($this->multiple ? "[]" : "");
3434
$str .= "<input name='$n' value=\"$v\"";
3535
$str .= ($this->pass)? " type='password'" : " type='text'";

lib/phplib/of_textarea.inc

+1-1
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ class of_textarea extends of_element {
2424
$str .= " wrap='$this->wrap'";
2525
if ($this->extrahtml)
2626
$str .= " $this->extrahtml";
27-
$str .= ">" . htmlspecialchars($this->value) ."</textarea>";
27+
$str .= ">" . htmlReady($this->value) ."</textarea>";
2828

2929
$count = 1;
3030
return $str;

lib/phplib_local.inc.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ function studip_default_exception_handler($exception) {
9292
echo $GLOBALS['template_factory']->render($template, $args);
9393
} catch (Exception $e) {
9494
ob_end_clean();
95-
echo 'Error: ' . htmlspecialchars($e->getMessage());
95+
echo 'Error: ' . htmlReady($e->getMessage());
9696
}
9797
exit;
9898
}

lib/plugins/engine/PluginEngine.class.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ public static function getURL($plugin, $params = array(), $cmd = 'show') {
161161
* @return a link to the current plugin with the additional $params
162162
*/
163163
public static function getLink($plugin, $params = array(), $cmd = 'show') {
164-
return htmlspecialchars(self::getURL($plugin, $params, $cmd));
164+
return htmlReady(self::getURL($plugin, $params, $cmd));
165165
}
166166

167167
/**

lib/visual.inc.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -239,11 +239,11 @@ function jsReady ($what = "", $target = "overlib") {
239239
break;
240240

241241
case "inline-single" :
242-
return htmlspecialchars(addcslashes($what, "\\'\n\r"));
242+
return htmlReady(addcslashes($what, "\\'\n\r"));
243243
break;
244244

245245
case "inline-double" :
246-
return htmlspecialchars(addcslashes($what, "\\\"\n\r"));
246+
return htmlReady(addcslashes($what, "\\\"\n\r"));
247247
break;
248248

249249
case "contact" :

public/eval_summary_export.php

+8-8
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ function freetype_answers ($parent_id, $anz_nutzer) {
9696
$counter++;
9797
fputs($fo_file," <fo:table-row>\n");
9898
// fputs($fo_file," <fo:table-cell ><fo:block font-size=\"8pt\">".$counter.". ".htmlspecialchars($db_answers->f("text"))."</fo:block></fo:table-cell>\n");
99-
fputs($fo_file," <fo:table-cell ><fo:block font-size=\"8pt\">".$counter.". ".preg_replace($pattern,$replace,smile(htmlspecialchars($answer),TRUE))."</fo:block></fo:table-cell>\n");
99+
fputs($fo_file," <fo:table-cell ><fo:block font-size=\"8pt\">".$counter.". ".preg_replace($pattern,$replace,smile(htmlReady($answer),TRUE))."</fo:block></fo:table-cell>\n");
100100
fputs($fo_file," </fo:table-row>\n");
101101
}
102102
fputs($fo_file," <fo:table-row>\n");
@@ -172,7 +172,7 @@ function answers ($parent_id, $anz_nutzer, $question_type) {
172172
$prozente_wo_residual = 0;
173173
if ($has_residual && ($answers_sum-$has_residual)>0) $prozente_wo_residual = ROUND($answer_counter*100/($anz_nutzer-$has_residual));
174174
$edit .= " <fo:table-row>\n";
175-
$edit .= " <fo:table-cell ><fo:block font-size=\"8pt\">".$antwort_nummer.". ".preg_replace($pattern,$replace,smile(htmlspecialchars(($answer['text']!="" ? $answer['text'] : $answer['value'])),TRUE))."</fo:block></fo:table-cell>\n";
175+
$edit .= " <fo:table-cell ><fo:block font-size=\"8pt\">".$antwort_nummer.". ".preg_replace($pattern,$replace,smile(htmlReady(($answer['text']!="" ? $answer['text'] : $answer['value'])),TRUE))."</fo:block></fo:table-cell>\n";
176176

177177
if ($has_residual) $edit .= " <fo:table-cell ><fo:block font-size=\"8pt\">".$answer_counter." (".$prozente."%) ".($answer['residual'] == 0 ? "(".$prozente_wo_residual."%)*" : "" )."</fo:block></fo:table-cell>\n";
178178
else $edit .= " <fo:table-cell ><fo:block font-size=\"8pt\">".$answer_counter." (".$prozente."%)</fo:block></fo:table-cell>\n";
@@ -260,7 +260,7 @@ function groups ($parent_id) {
260260
fputs($fo_file," <!-- Groupblock -->\n");
261261
fputs($fo_file," <fo:block font-variant=\"small-caps\" font-weight=\"bold\" text-align=\"start\" space-after.optimum=\"2pt\" background-color=\"lightblue\" space-before.optimum=\"10pt\">\n");
262262
if (do_template("show_group_headline"))
263-
fputs($fo_file," ".$global_counter.". ".preg_replace($pattern,$replace,smile(htmlspecialchars($group['title']),TRUE))."\n");
263+
fputs($fo_file," ".$global_counter.". ".preg_replace($pattern,$replace,smile(htmlReady($group['title']),TRUE))."\n");
264264
fputs($fo_file," </fo:block>\n");
265265
} else {
266266
$local_counter += 1;
@@ -272,7 +272,7 @@ function groups ($parent_id) {
272272
fputs($fo_file," <!-- Questionblock -->\n");
273273
fputs($fo_file," <fo:block font-variant=\"small-caps\" font-weight=\"bold\" text-align=\"start\" background-color=\"grey\" color=\"white\" space-after.optimum=\"10pt\">\n");
274274
if (do_template("show_questionblock_headline"))
275-
fputs($fo_file," ".$global_counter.".".$local_counter.". ".preg_replace($pattern,$replace,smile(htmlspecialchars($group['title']),TRUE))."\n");
275+
fputs($fo_file," ".$global_counter.".".$local_counter.". ".preg_replace($pattern,$replace,smile(htmlReady($group['title']),TRUE))."\n");
276276
fputs($fo_file," </fo:block>\n");
277277
}
278278

@@ -293,7 +293,7 @@ function groups ($parent_id) {
293293
fputs($fo_file," <!-- Question -->\n");
294294
fputs($fo_file," <fo:block text-align=\"start\" font-weight=\"bold\" space-before.optimum=\"10pt\" space-after.optimum=\"10pt\">\n");
295295
if (do_template("show_questions")) {
296-
fputs($fo_file," ".$global_counter.".".$local_counter.".".$local_question_counter.". ".preg_replace($pattern,$replace,smile(htmlspecialchars($question['text']),TRUE))."\n");
296+
fputs($fo_file," ".$global_counter.".".$local_counter.".".$local_question_counter.". ".preg_replace($pattern,$replace,smile(htmlReady($question['text']),TRUE))."\n");
297297
}
298298
fputs($fo_file," </fo:block>\n");
299299
fputs($fo_file," <!-- table start -->\n");
@@ -383,7 +383,7 @@ function groups ($parent_id) {
383383
fputs($fo_file," </fo:block></fo:table-cell >");
384384
foreach ($questions["antwort_texte"] as $k2=>$v2) { // 1. Unterebene, hier sind die Antworttexte abgelegt
385385
fputs($fo_file," <fo:table-cell ><fo:block space-before.optimum=\"10pt\" font-size=\"7pt\">\n");
386-
fputs($fo_file, preg_replace($pattern,$replace,smile(htmlspecialchars($v2),TRUE)));
386+
fputs($fo_file, preg_replace($pattern,$replace,smile(htmlReady($v2),TRUE)));
387387
fputs($fo_file," </fo:block></fo:table-cell >");
388388
}
389389

@@ -561,14 +561,14 @@ function groups ($parent_id) {
561561
fputs($fo_file," <!-- this defines a title level 2-->\n");
562562

563563
fputs($fo_file," <fo:block font-size=\"16pt\" font-weight=\"bold\" font-family=\"sans-serif\" space-before.optimum=\"10pt\" space-after.optimum=\"15pt\" text-align=\"center\">\n");
564-
fputs($fo_file," ".preg_replace($pattern,$replace,smile(htmlspecialchars($evaluation['title']),TRUE))."\n");
564+
fputs($fo_file," ".preg_replace($pattern,$replace,smile(htmlReady($evaluation['title']),TRUE))."\n");
565565
fputs($fo_file," </fo:block>\n");
566566
fputs($fo_file," <fo:block text-align=\"start\" line-height=\"10pt\" font-size=\"8pt\">\n");
567567
fputs($fo_file, _("Diese Evaluation ist folgenden Bereichen zugeordnet:"));
568568
fputs($fo_file," </fo:block>\n");
569569
foreach($eval_ranges_names as $n) {
570570
fputs($fo_file," <fo:block text-align=\"start\" margin-left=\"0.5cm\" line-height=\"10pt\" font-size=\"8pt\">\n");
571-
fputs($fo_file, htmlspecialchars($n));
571+
fputs($fo_file, htmlReady($n));
572572
fputs($fo_file," </fo:block>\n");
573573
}
574574

public/freie.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -158,7 +158,7 @@ function print_seminar_content($semid,$my_sem_values) {
158158
if (isset($nav) && $nav->isVisible(true)) {
159159
// need to use strtr() here to deal with seminar_main craziness
160160
$url = 'seminar_main.php?auswahl='.$semid.'&redirect_to='.strtr($nav->getURL(), '?', '&');
161-
printf(' <a href="%s"><img ', htmlspecialchars($url));
161+
printf(' <a href="%s"><img ', htmlReady($url));
162162
foreach ($nav->getImage() as $key => $value) {
163163
printf('%s="%s" ', $key, htmlReady($value));
164164
}

public/index.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -142,7 +142,7 @@
142142
<? if (is_internal_url($url = $nav->getURL())) : ?>
143143
<a href="<?= URLHelper::getLink($url) ?>">
144144
<? else : ?>
145-
<a href="<?= htmlspecialchars($url) ?>" target="_blank">
145+
<a href="<?= htmlReady($url) ?>" target="_blank">
146146
<? endif ?>
147147
<?= htmlReady($nav->getTitle()) ?></a>
148148
<? $pos = 0 ?>
@@ -153,7 +153,7 @@
153153
<? if (is_internal_url($url = $subnav->getURL())) : ?>
154154
<a href="<?= URLHelper::getLink($url) ?>">
155155
<? else : ?>
156-
<a href="<?= htmlspecialchars($url) ?>" target="_blank">
156+
<a href="<?= htmlReady($url) ?>" target="_blank">
157157
<? endif ?>
158158
<?= htmlReady($subnav->getTitle()) ?></a>
159159
</font>

0 commit comments

Comments
 (0)