From 60181dfb652fcd5856ed544bde3634fd67eb58dc Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rapha=C3=ABl=20Barrois?= Date: Mon, 18 Nov 2013 23:29:02 +0100 Subject: [PATCH] Properly fix htmlspecialchars. --- include/HTTP/WebDAV/Server.php | 8 ++++---- include/Text/Wiki/Parse/Default/Heading.php | 4 ++-- include/Text/Wiki/Render/Latex/Wikilink.php | 8 ++++---- include/Text/Wiki/Render/Xhtml/Function.php | 18 +++++++++--------- include/Text/Wiki/Render/Xhtml/Image.php | 12 ++++++------ include/Text/Wiki/Render/Xhtml/Interwiki.php | 6 +++--- include/Text/Wiki/Render/Xhtml/Phplookup.php | 8 ++++---- include/Text/Wiki/Render/Xhtml/Url.php | 10 +++++----- include/Text/Wiki/Render/Xhtml/Wikilink.php | 8 ++++---- include/admin/edit.php | 2 +- include/diogenes/diogenes.core.page.inc.php | 2 +- 11 files changed, 43 insertions(+), 43 deletions(-) diff --git a/include/HTTP/WebDAV/Server.php b/include/HTTP/WebDAV/Server.php index 3caf13f..c855194 100644 --- a/include/HTTP/WebDAV/Server.php +++ b/include/HTTP/WebDAV/Server.php @@ -653,7 +653,7 @@ class HTTP_WebDAV_Server break; default: echo " " - . $this->_prop_encode(htmlspecialchars($prop['val'])) + . $this->_prop_encode(htmlspecialchars($prop['val'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1")) . "\n"; break; } @@ -661,11 +661,11 @@ class HTTP_WebDAV_Server // properties from namespaces != "DAV:" or without any namespace if ($prop["ns"]) { echo " <" . $ns_hash[$prop["ns"]] . ":$prop[name]>" - . $this->_prop_encode(htmlspecialchars($prop['val'])) + . $this->_prop_encode(htmlspecialchars($prop['val'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1")) . "\n"; } else { echo " <$prop[name] xmlns=\"\">" - . $this->_prop_encode(htmlspecialchars($prop['val'])) + . $this->_prop_encode(htmlspecialchars($prop['val'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1")) . "\n"; } } @@ -748,7 +748,7 @@ class HTTP_WebDAV_Server if ($responsedescr) { echo " ". - $this->_prop_encode(htmlspecialchars($responsedescr)). + $this->_prop_encode(htmlspecialchars($responsedescr, ENT_COMPAT | ENT_HTML401, "ISO-8859-1")). "\n"; } diff --git a/include/Text/Wiki/Parse/Default/Heading.php b/include/Text/Wiki/Parse/Default/Heading.php index ae0f1fd..4a42e3a 100644 --- a/include/Text/Wiki/Parse/Default/Heading.php +++ b/include/Text/Wiki/Parse/Default/Heading.php @@ -81,7 +81,7 @@ class Text_Wiki_Parse_Heading extends Text_Wiki_Parse { $id = 0; } - $prefix = htmlspecialchars($this->getConf('id_prefix')); + $prefix = htmlspecialchars($this->getConf('id_prefix'), ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $start = $this->wiki->addToken( $this->rule, @@ -104,4 +104,4 @@ class Text_Wiki_Parse_Heading extends Text_Wiki_Parse { return $start . $matches[2] . $end . "\n"; } } -?> \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Latex/Wikilink.php b/include/Text/Wiki/Render/Latex/Wikilink.php index 3cf33a6..41f1b4b 100644 --- a/include/Text/Wiki/Render/Latex/Wikilink.php +++ b/include/Text/Wiki/Render/Latex/Wikilink.php @@ -38,9 +38,9 @@ class Text_Wiki_Render_Latex_Wikilink extends Text_Wiki_Render { // convert *after* checking against page names so as not to mess // up what the user typed and what we're checking. - $page = htmlspecialchars($page); - $anchor = htmlspecialchars($anchor); - $text = htmlspecialchars($text); + $page = htmlspecialchars($page, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $anchor = htmlspecialchars($anchor, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $href = $this->getConf('view_url'); @@ -57,4 +57,4 @@ class Text_Wiki_Render_Latex_Wikilink extends Text_Wiki_Render { return "$text\\footnote\{$href}"; } } -?> \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Function.php b/include/Text/Wiki/Render/Xhtml/Function.php index fff37c1..c4ac858 100644 --- a/include/Text/Wiki/Render/Xhtml/Function.php +++ b/include/Text/Wiki/Render/Xhtml/Function.php @@ -40,9 +40,9 @@ class Text_Wiki_Render_Xhtml_Function extends Text_Wiki_Render { // build the baseline output $output = $this->conf['format_main']; - $output = str_replace('%access', htmlspecialchars($access), $output); - $output = str_replace('%return', htmlspecialchars($return), $output); - $output = str_replace('%name', htmlspecialchars($name), $output); + $output = str_replace('%access', htmlspecialchars($access, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $output); + $output = str_replace('%return', htmlspecialchars($return, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $output); + $output = str_replace('%name', htmlspecialchars($name, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $output); // build the set of params $list = array(); @@ -56,9 +56,9 @@ class Text_Wiki_Render_Xhtml_Function extends Text_Wiki_Render { } // add the param elements - $tmp = str_replace('%type', htmlspecialchars($val['type']), $tmp); - $tmp = str_replace('%descr', htmlspecialchars($val['descr']), $tmp); - $tmp = str_replace('%default', htmlspecialchars($val['default']), $tmp); + $tmp = str_replace('%type', htmlspecialchars($val['type'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $tmp); + $tmp = str_replace('%descr', htmlspecialchars($val['descr'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $tmp); + $tmp = str_replace('%default', htmlspecialchars($val['default'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $tmp); $list[] = $tmp; } @@ -70,8 +70,8 @@ class Text_Wiki_Render_Xhtml_Function extends Text_Wiki_Render { $list = array(); foreach ($throws as $key => $val) { $tmp = $this->conf['format_throws']; - $tmp = str_replace('%type', htmlspecialchars($val['type']), $tmp); - $tmp = str_replace('%descr', htmlspecialchars($val['descr']), $tmp); + $tmp = str_replace('%type', htmlspecialchars($val['type'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $tmp); + $tmp = str_replace('%descr', htmlspecialchars($val['descr'], ENT_COMPAT | ENT_HTML401, "ISO-8859-1"), $tmp); $list[] = $tmp; } @@ -84,4 +84,4 @@ class Text_Wiki_Render_Xhtml_Function extends Text_Wiki_Render { return "\n$output\n\n"; } } -?> \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Image.php b/include/Text/Wiki/Render/Xhtml/Image.php index 4318c84..fed5a7f 100644 --- a/include/Text/Wiki/Render/Xhtml/Image.php +++ b/include/Text/Wiki/Render/Xhtml/Image.php @@ -108,7 +108,7 @@ class Text_Wiki_Render_Xhtml_Image extends Text_Wiki_Render { } // start the HTML output - $output = 'formatConf(' class="%s"', 'css'); @@ -128,14 +128,14 @@ class Text_Wiki_Render_Xhtml_Image extends Text_Wiki_Render { $css = null; } - $key = htmlspecialchars($key); - $val = htmlspecialchars($val); + $key = htmlspecialchars($key, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $val = htmlspecialchars($val, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $output .= " $key=\"$val\""; } // always add an "alt" attribute per Stephane Solliec if (! $alt) { - $alt = htmlspecialchars(basename($options['src'])); + $alt = htmlspecialchars(basename($options['src']), ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $output .= " alt=\"$alt\""; } @@ -145,7 +145,7 @@ class Text_Wiki_Render_Xhtml_Image extends Text_Wiki_Render { // was the image clickable? if ($href) { // yes, add the href and return - $href = htmlspecialchars($href); + $href = htmlspecialchars($href, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $css = $this->formatConf(' class="%s"', 'css_link'); $output = "$output"; } @@ -153,4 +153,4 @@ class Text_Wiki_Render_Xhtml_Image extends Text_Wiki_Render { return $output; } } -?> \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Interwiki.php b/include/Text/Wiki/Render/Xhtml/Interwiki.php index 30b363e..90ffbf8 100644 --- a/include/Text/Wiki/Render/Xhtml/Interwiki.php +++ b/include/Text/Wiki/Render/Xhtml/Interwiki.php @@ -53,7 +53,7 @@ class Text_Wiki_Render_Xhtml_Interwiki extends Text_Wiki_Render { $target = $this->getConf('target'); // build base link - $text = htmlspecialchars($text); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $output = " \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Phplookup.php b/include/Text/Wiki/Render/Xhtml/Phplookup.php index 91b2598..0be4c15 100644 --- a/include/Text/Wiki/Render/Xhtml/Phplookup.php +++ b/include/Text/Wiki/Render/Xhtml/Phplookup.php @@ -36,7 +36,7 @@ class Text_Wiki_Render_Xhtml_Phplookup extends Text_Wiki_Render { if ($target) { // use a "popup" window. this is XHTML compliant, suggested by // Aaron Kalin. uses the $target as the new window name. - $target = htmlspecialchars($target); + $target = htmlspecialchars($target, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $output .= " onclick=\"window.open(this.href, '$target');"; $output .= " return false;\""; } @@ -48,12 +48,12 @@ class Text_Wiki_Render_Xhtml_Phplookup extends Text_Wiki_Render { $q = $text; } - $q = htmlspecialchars($q); - $text = htmlspecialchars($text); + $q = htmlspecialchars($q, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); // finish and return $output .= " href=\"http://php.net/$q\">$text"; return $output; } } -?> \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Url.php b/include/Text/Wiki/Render/Xhtml/Url.php index 6fe3f05..469d1e4 100644 --- a/include/Text/Wiki/Render/Xhtml/Url.php +++ b/include/Text/Wiki/Render/Xhtml/Url.php @@ -37,7 +37,7 @@ class Text_Wiki_Render_Xhtml_Url extends Text_Wiki_Render { // extension. $pos = strrpos($href, '.'); $ext = strtolower(substr($href, $pos + 1)); - $href = htmlspecialchars($href); + $href = htmlspecialchars($href, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); // does the filename extension indicate an image file? if ($this->getConf('images') && @@ -46,7 +46,7 @@ class Text_Wiki_Render_Xhtml_Url extends Text_Wiki_Render { // create alt text for the image if (! isset($text) || $text == '') { $text = basename($href); - $text = htmlspecialchars($text); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); } // generate an image tag @@ -67,14 +67,14 @@ class Text_Wiki_Render_Xhtml_Url extends Text_Wiki_Render { } // generate a regular link (not an image) - $text = htmlspecialchars($text); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); $css = $this->formatConf(' class="%s"', "css_$type"); $output = " \ No newline at end of file +?> diff --git a/include/Text/Wiki/Render/Xhtml/Wikilink.php b/include/Text/Wiki/Render/Xhtml/Wikilink.php index e5815c8..81487a0 100644 --- a/include/Text/Wiki/Render/Xhtml/Wikilink.php +++ b/include/Text/Wiki/Render/Xhtml/Wikilink.php @@ -59,9 +59,9 @@ class Text_Wiki_Render_Xhtml_Wikilink extends Text_Wiki_Render { // convert *after* checking against page names so as not to mess // up what the user typed and what we're checking. - $page = htmlspecialchars($page); - $anchor = htmlspecialchars($anchor); - $text = htmlspecialchars($text); + $page = htmlspecialchars($page, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $anchor = htmlspecialchars($anchor, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); + $text = htmlspecialchars($text, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"); // does the page exist? if ($exists) { @@ -134,4 +134,4 @@ class Text_Wiki_Render_Xhtml_Wikilink extends Text_Wiki_Render { return $output; } } -?> \ No newline at end of file +?> diff --git a/include/admin/edit.php b/include/admin/edit.php index 510c70a..d0a54d5 100644 --- a/include/admin/edit.php +++ b/include/admin/edit.php @@ -54,7 +54,7 @@ $page->assign('dir',$dir); $page->assign('file',$file); $page->assign('source',__("File source")); $page->assign('msg_log',__("log message")); -$page->assign('file_content',htmlspecialchars(file_get_contents($myfile), ENT_NOQUOTES)); +$page->assign('file_content',htmlspecialchars(file_get_contents($myfile), ENT_COMPAT | ENT_HTML401, "ISO-8859-1")); $page->assign('submit',__("Submit")); // menu for stylesheet replacement diff --git a/include/diogenes/diogenes.core.page.inc.php b/include/diogenes/diogenes.core.page.inc.php index 9113ba1..46529b1 100644 --- a/include/diogenes/diogenes.core.page.inc.php +++ b/include/diogenes/diogenes.core.page.inc.php @@ -280,7 +280,7 @@ function diogenes_func_flags($params) $subset = str_replace('\'\'', '\'', str_replace('\\\\', '\\', $subset)); $html_out .= "\n"; + . ">".(isset($trans) ? $trans[$subset] : htmlspecialchars($subset, ENT_COMPAT | ENT_HTML401, "ISO-8859-1"))."\n"; } // if we have a name, display closing select tag -- 2.1.4