Changeset 185

Timestamp:

Jun 24, 2006 11:02:54 PM (18 years ago)

Author:

scdev

Message:

Q - added oTxt() around all printed PHP_SELFs to avoid XSS attack. See: ​http://blog.phpdoc.info/archives/13-XSS-Woes.html

Files:

• branches/1.1dev/bin/module_maker/list_template.cli.php (modified) (1 diff)
• branches/1.1dev/bin/module_maker/module.cli.php (modified) (1 diff)
• branches/1.1dev/bin/module_maker/skel/adm_list.ihtml (modified) (2 diffs)
• branches/1.1dev/lib/PEdit.inc.php (modified) (1 diff)
• branches/1.1dev/templates/adm_admin_form.ihtml (modified) (1 diff)
• branches/1.1dev/templates/adm_admin_list.ihtml (modified) (1 diff)
• branches/1.1dev/templates/adm_log_list.ihtml (modified) (1 diff)
• branches/1.1dev/templates/adm_login_form.ihtml (modified) (1 diff)
• branches/1.1dev/templates/adm_record_lock.ihtml (modified) (1 diff)
• branches/1.1dev/templates/adm_record_version_list.ihtml (modified) (1 diff)
• branches/1.1dev/templates/login_form.ihtml (modified) (1 diff)
• branches/1.1dev/templates/passwd.ihtml (modified) (1 diff)
• tags/2.0.2/bin/module_maker/list_template.cli.php (modified) (2 diffs)
• tags/2.0.2/bin/module_maker/module.cli.php (modified) (1 diff)
• tags/2.0.2/bin/module_maker/skel/adm_list.ihtml (modified) (2 diffs)
• tags/2.0.2/lib/PEdit.inc.php (modified) (1 diff)
• tags/2.0.2/lib/RecordLock.inc.php (modified) (1 diff)
• tags/2.0.2/services/templates/admin_form.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/admin_list.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/lock.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/log_list.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/login_form.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/password.ihtml (modified) (1 diff)
• tags/2.0.2/services/templates/versions_list.ihtml (modified) (1 diff)
• trunk/bin/module_maker/list_template.cli.php (modified) (2 diffs)
• trunk/bin/module_maker/module.cli.php (modified) (1 diff)
• trunk/bin/module_maker/skel/adm_list.ihtml (modified) (2 diffs)
• trunk/lib/Lock.inc.php (modified) (1 diff)
• trunk/lib/Navigation.inc.php (modified) (2 diffs)
• trunk/lib/PEdit.inc.php (modified) (1 diff)
• trunk/services/templates/admin_form.ihtml (modified) (1 diff)
• trunk/services/templates/admin_list.ihtml (modified) (1 diff)
• trunk/services/templates/lock.ihtml (modified) (1 diff)
• trunk/services/templates/log_list.ihtml (modified) (1 diff)
• trunk/services/templates/login_form.ihtml (modified) (1 diff)
• trunk/services/templates/password.ihtml (modified) (1 diff)
• trunk/services/templates/versions_list.ihtml (modified) (1 diff)

branches/1.1dev/bin/module_maker/list_template.cli.php

@@ -104 +104 @@
 
 <\x3fphp include 'form_error_header.ihtml'; \x3f>
-<form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="post">
+<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="post">
 <\x3fphp printHiddenSession(false); \x3f>
 

branches/1.1dev/bin/module_maker/module.cli.php

@@ -248 +248 @@
 $search['admin_form_tag_init'] = '/%ADMIN_FORM_TAG_INIT%/';
 if ($multipart_form_required) {
-    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"12000000\">";
-} else {
-    $replace['admin_form_tag_init'] = "<form method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\">";
+    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"12000000\">";
+} else {
+    $replace['admin_form_tag_init'] = "<form method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\">";
 }
 

branches/1.1dev/bin/module_maker/skel/adm_list.ihtml

@@ -3 +3 @@
 
 <div id="commandbox">
-    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
+    <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="get">
         <?php printHiddenSession(false); ?>
         <span class="nowrap commandtext"><a href="<?php echo ohref($_SERVER['PHP_SELF'] . '?op=add'); ?>"><?php echo _("Add %ITEM_TITLE%"); ?></a></span>
@@ -18 +18 @@
 <?php include 'adm_list_info.ihtml'; ?>
 
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
     <?php printHiddenSession(false); ?>
     <table class="list">

branches/1.1dev/lib/PEdit.inc.php

@@ -273 +273 @@
         }
         ?>
-        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+        <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
         <input type="hidden" name="filename" value="<?php echo $this->_filename; ?>" />
         <input type="hidden" name="file_hash" value="<?php echo md5('frog_guts' . $this->_filename); ?>" />

branches/1.1dev/templates/adm_admin_form.ihtml

@@ -1 +1 @@
 <?php include 'form_error_header.ihtml'; ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession(); ?>
 <input type="hidden" name="op" value="<?php echo $frm['new_op']; ?>">

branches/1.1dev/templates/adm_admin_list.ihtml

@@ -1 +1 @@
 
 <?php include 'form_error_header.ihtml'; ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php $carry_queries = array('search_query', 'filter_admin_priv'); ?>
 <?php printHiddenSession(false); ?>

branches/1.1dev/templates/adm_log_list.ihtml

@@ -1 +1 @@
 
 <?php include 'form_error_header.ihtml'; ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php printHiddenSession(false); ?>
 

branches/1.1dev/templates/adm_login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <table border="0" cellspacing="0" cellpadding="4">

branches/1.1dev/templates/adm_record_lock.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="hidden" name="lock_id" value="<?php echo $lock->getID(); ?>" />

branches/1.1dev/templates/adm_record_version_list.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="submit" class="formsubmitbutton" name="op" value="<?php echo _("Cancel"); ?>">

branches/1.1dev/templates/login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <table border="0" cellspacing="0" cellpadding="4">

branches/1.1dev/templates/passwd.ihtml

@@ -1 +1 @@
 <?php include 'form_error_header.ihtml'; ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php printHiddenSession() ?>
 <input type="hidden" name="op" value="update_password">

tags/2.0.2/bin/module_maker/list_template.cli.php

@@ -109 +109 @@
 
 <div id="commandbox">
-<form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="get">
+<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="get">
 <\x3fphp App::printHiddenSession(false); \x3f>
     <span class="nowrap commandtext"><a href="<\x3fphp echo App::oHREF(\$_SERVER['PHP_SELF'] . '?op=add'); \x3f>"><\x3fphp echo _("Add <##>"); \x3f></a></span>
@@ -124 +124 @@
 <?php include 'list_info.ihtml'; \x3f>
 
-<form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="post">
+<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="post">
 <table class="list">
     <tr>

tags/2.0.2/bin/module_maker/module.cli.php

@@ -221 +221 @@
 if ($upload_file_capability) {
     // Form arguments
-    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\" class=\"sc-form\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"<##>\" />";
+    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\" class=\"sc-form\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"<##>\" />";
 
     // Include statement.

tags/2.0.2/bin/module_maker/skel/adm_list.ihtml

@@ -3 +3 @@
 
 <div id="commandbox">
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="get">
 <?php App::printHiddenSession(false); ?>
     <span class="nowrap commandtext"><a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=add'); ?>"><?php echo _("Add %ITEM_TITLE%"); ?></a></span>
@@ -16 +16 @@
 </div>
 
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php App::printHiddenSession(); ?>
 <?php include 'list_info.ihtml'; ?>

tags/2.0.2/lib/PEdit.inc.php

@@ -212 +212 @@
         }
         ?>        
-        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="sc-pedit-form">
-        <input type="hidden" name="filename" value="<?php echo $_SERVER['PHP_SELF']; ?>" />
+        <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post" id="sc-pedit-form">
+        <input type="hidden" name="filename" value="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" />
         <input type="hidden" name="file_hash" value="<?php echo $this->_fileHash(); ?>" />
         <?php

tags/2.0.2/lib/RecordLock.inc.php

@@ -334 +334 @@
     {
         ?>
-        <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+        <form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
         <?php App::printHiddenSession() ?>
         <input type="hidden" name="lock_id" value="<?php echo $this->getID(); ?>" />

tags/2.0.2/services/templates/admin_form.ihtml

@@ -1 +1 @@
 <?php $fv->printErrorMessages(); ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php App::printHiddenSession(); ?>
 <input type="hidden" name="op" value="<?php echo $frm['new_op']; ?>" />

tags/2.0.2/services/templates/admin_list.ihtml

@@ -1 +1 @@
 
 <?php $fv->printErrorMessages(); ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php App::printHiddenSession(false); ?>
 <div id="commandbox">

tags/2.0.2/services/templates/lock.ihtml

@@ -4 +4 @@
 }
 ?>
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
     <?php App::printHiddenSession() ?>
     <input type="hidden" name="lock_id" value="<?php echo $lock->getID(); ?>" />

tags/2.0.2/services/templates/log_list.ihtml

@@ -1 @@
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php App::printHiddenSession(false); ?>
 

tags/2.0.2/services/templates/login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php App::printHiddenSession() ?>
 <table>

tags/2.0.2/services/templates/password.ihtml

@@ -1 +1 @@
 <?php $fv->printErrorMessages(); ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php App::printHiddenSession() ?>
 <input type="hidden" name="op" value="update_password" />

tags/2.0.2/services/templates/versions_list.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php App::printHiddenSession() ?>
 <input type="submit" name="op" value="<?php echo _("Cancel"); ?>" />

trunk/bin/module_maker/list_template.cli.php

@@ -109 +109 @@
 
 <div id="commandbox">
-<form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="get">
+<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="get">
 <\x3fphp \$app->printHiddenSession(false); \x3f>
     <span class="sc-nowrap commandtext"><a href="<\x3fphp echo \$app->oHREF(\$_SERVER['PHP_SELF'] . '?op=add'); \x3f>"><\x3fphp echo _("Add __///__"); \x3f></a></span>
@@ -124 +124 @@
 <?php include 'list_info.ihtml'; \x3f>
 
-<form action="<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>" method="post">
+<form action="<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>" method="post">
 <table class="list">
     <tr>

trunk/bin/module_maker/module.cli.php

@@ -223 +223 @@
 if ($upload_file_capability) {
     // Form arguments
-    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo \$_SERVER['PHP_SELF']; \x3f>\" class=\"sc-form\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"__///__\" />";
+    $replace['admin_form_tag_init'] = "<form enctype=\"multipart/form-data\" method=\"post\" action=\"<\x3fphp echo oTxt(\$_SERVER['PHP_SELF']); \x3f>\" class=\"sc-form\">\n<input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"__///__\" />";
 
     // Include statement.

trunk/bin/module_maker/skel/adm_list.ihtml

@@ -3 +3 @@
 
 <div id="commandbox">
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="get">
 <?php $app->printHiddenSession(false); ?>
     <span class="sc-nowrap commandtext"><a href="<?php echo $app->oHREF($_SERVER['PHP_SELF'] . '?op=add'); ?>"><?php echo _("Add %ITEM_TITLE%"); ?></a></span>
@@ -16 +16 @@
 </div>
 
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php $app->printHiddenSession(); ?>
 <?php include 'list_info.ihtml'; ?>

trunk/lib/Lock.inc.php

@@ -365 +365 @@
 
         ?>
-        <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+        <form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
         <?php $app->printHiddenSession() ?>
         <input type="hidden" name="lock_id" value="<?php echo $this->getID(); ?>" />

trunk/lib/Navigation.inc.php

@@ -18 +18 @@
     // Configuration parameters for this object.
     var $_params = array(        
-        'html_title' = true,
-        'body_title' = true,
+        'head_title' => true,
+        'body_title' => true,
         'title' => true,
         'path' => true,
@@ -58 +58 @@
         $page = array(
             'title' => $title,
-            'url' => is_null($url) ? $_SERVER['PHP_SELF'] : $url;
+            'url' => is_null($url) ? $_SERVER['PHP_SELF'] : $url,
         );
         $this->pages[] = array_merge($page, $vars);

trunk/lib/PEdit.inc.php

@@ -228 +228 @@
         }
         ?>        
-        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="sc-pedit-form">
-        <input type="hidden" name="filename" value="<?php echo $_SERVER['PHP_SELF']; ?>" />
+        <form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post" id="sc-pedit-form">
+        <input type="hidden" name="filename" value="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" />
         <input type="hidden" name="file_hash" value="<?php echo $this->_fileHash(); ?>" />
         <?php

trunk/services/templates/admin_form.ihtml

@@ -1 +1 @@
 <?php $fv->printErrorMessages(); ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php $app->printHiddenSession(); ?>
 <input type="hidden" name="op" value="<?php echo $frm['new_op']; ?>" />

trunk/services/templates/admin_list.ihtml

@@ -1 +1 @@
 
 <?php $fv->printErrorMessages(); ?>
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php $app->printHiddenSession(false); ?>
 <div id="commandbox">

trunk/services/templates/lock.ihtml

@@ -4 +4 @@
 }
 ?>
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
     <?php $app->printHiddenSession() ?>
     <input type="hidden" name="lock_id" value="<?php echo $lock->getID(); ?>" />

trunk/services/templates/log_list.ihtml

@@ -1 @@
-<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
+<form action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>" method="post">
 <?php $app->printHiddenSession(false); ?>
 

trunk/services/templates/login_form.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php $app->printHiddenSession() ?>
 <table>

trunk/services/templates/password.ihtml

@@ -1 +1 @@
 <?php $fv->printErrorMessages(); ?>
 
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php $app->printHiddenSession() ?>
 <input type="hidden" name="op" value="update_password" />

trunk/services/templates/versions_list.ihtml

@@ -1 @@
-<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
+<form method="post" action="<?php echo oTxt($_SERVER['PHP_SELF']); ?>">
 <?php $app->printHiddenSession() ?>
 <input type="submit" name="op" value="<?php echo _("Cancel"); ?>" />