Changeset 763 for trunk/lib

Timestamp:

Feb 24, 2022 10:05:48 PM (2 years ago)

Author:

anonymous

Message:

Include boomerang in hidden input on login form so the user will be redirected if the revisit the login form after session is garbage collected. Add escape values used in html attributes.

Location:

trunk/lib

Files:

• App.inc.php (modified) (4 diffs)
• HTML.inc.php (modified) (4 diffs)
• Image.inc.php (modified) (1 diff)
• PayPal.inc.php (modified) (6 diffs)
• Utilities.inc.php (modified) (2 diffs)

trunk/lib/App.inc.php

@@ -1335 +1335 @@
                     foreach ($val as $subval) {
                         if ('' != $key && '' != $subval) {
-                            $out .= sprintf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval);
+                            $out .= sprintf('<input type="hidden" name="%s[]" value="%s" />', oTxt($key), oTxt($subval));
                         }
                     }
                 } else if ('' != $key && '' != $val) {
-                    $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $key, $val);
+                    $out .= sprintf('<input type="hidden" name="%s" value="%s" />', oTxt($key), oTxt($val));
                 }
             }
@@ -1355 +1355 @@
         && $this->getParam('session_use_trans_sid')
         ) {
-            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', session_name(), session_id());
+            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', oTxt(session_name()), oTxt(session_id()));
         }
 
@@ -1361 +1361 @@
         // This token can be validated upon form submission with $app->verifyCSRFToken() or $app->requireValidCSRFToken()
         if ($this->getParam('csrf_token_enabled') && $include_csrf_token) {
-            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', $this->getParam('csrf_token_name'), $this->getCSRFToken());
+            $out .= sprintf('<input type="hidden" name="%s" value="%s" />', oTxt($this->getParam('csrf_token_name')), oTxt($this->getCSRFToken()));
         }
 
@@ -1530 +1530 @@
         } else {
             // Fallback: die using meta refresh instead.
-            printf('<meta http-equiv="refresh" content="0;url=%s" />', $url);
+            printf('<meta http-equiv="refresh" content="0;url=%s" />', oTxt($url));
             $this->logMsg(sprintf('dieURL (refresh): %s; headers already sent (output started in %s : %s)', $url, $h_file, $h_line), LOG_NOTICE, __FILE__, __LINE__);
         }

trunk/lib/HTML.inc.php

@@ -78 +78 @@
                 echo '<li><a';
                 foreach (array_diff_key($b, array('value' => null)) as $key => $value) {
-                    printf(' %s="%s"', $key, oTxt($value));
+                    printf(' %s="%s"', oTxt($key), oTxt($value));
                 }
                 echo '>' . oTxt($b['value']) . '</a></li>';
@@ -88 +88 @@
                 echo '<li><input';
                 foreach ($b as $key => $value) {
-                    printf(' %s="%s"', $key, oTxt($value));
+                    printf(' %s="%s"', oTxt($key), oTxt($value));
                 }
                 echo ' /></li>';
@@ -247 +247 @@
             printf('<option value="%s"%s%s%s>%s</option>',
                 oTxt($o['value']),
-                (isset($o['class']) && sprintf(' class="%s"', $o['class']) ? : ''),
-                (isset($o['selected']) && $o['selected'] ? ' selected="selected"' : ''),
-                (isset($o['disabled']) && $o['disabled'] ? ' disabled="disabled"' : ''),
+                (isset($o['class']) && sprintf(' class="%s"', oTxt($o['class'])) ? : ''),
+                (isset($o['selected']) && oTxt($o['selected']) ? ' selected="selected"' : ''),
+                (isset($o['disabled']) && oTxt($o['disabled']) ? ' disabled="disabled"' : ''),
                 oTxt($o['text'])
             );
@@ -280 +280 @@
         foreach ($options as $value => $text) {
             printf('<option value="%s"%s>%s</option>',
-                $value,
+                oTxt($value),
                 $preselected == $value ? ' selected="selected"' : '',
-                $text
+                oTxt($text)
             );
         }

trunk/lib/Image.inc.php

@@ -152 +152 @@
 
         return sprintf('<img src="%s" %s alt="%s" %s />',
-            $src,
+            oTxt($src),
             $image_size,
             oTxt($alt),

trunk/lib/PayPal.inc.php

@@ -4 +4 @@
  * For details visit the project site: <http://trac.strangecode.com/codebase/>
  * Copyright 2001-2012 Strangecode, LLC
- * 
+ *
  * This file is part of The Strangecode Codebase.
  *
@@ -11 +11 @@
  * Free Software Foundation, either version 3 of the License, or (at your option)
  * any later version.
- * 
+ *
  * The Strangecode Codebase is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- * 
+ *
  * You should have received a copy of the GNU General Public License along with
  * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
@@ -212 +212 @@
     {
         ?>
-        <form action="<?php echo $this->_buttons[$name]['options']['button_url']; ?>" method="post">
+        <form action="<?php echo oTxt($this->_buttons[$name]['options']['button_url']); ?>" method="post">
         <?php
         if (is_array($this->_buttons[$name]['options']) && !empty($this->_buttons[$name]['options'])) {
@@ -218 +218 @@
                 if (!in_array($key, array('button_url', 'link_url', 'submit_img', 'submit_text'))) {
                     ?>
-                    <input type="hidden" name="<?php echo $key; ?>" value="<?php echo $val; ?>" />
+                    <input type="hidden" name="<?php echo oTxt($key); ?>" value="<?php echo oTxt($val); ?>" />
                     <?php
                 }
@@ -224 +224 @@
         }
         ?>
-        <input type="image" src="<?php echo $this->_buttons[$name]['options']['submit_img']; ?>" border="0" name="submit" alt="<?php echo $this->_buttons[$name]['options']['submit_text']; ?>" />
+        <input type="image" src="<?php echo oTxt($this->_buttons[$name]['options']['submit_img']); ?>" border="0" name="submit" alt="<?php echo oTxt($this->_buttons[$name]['options']['submit_text']); ?>" />
         </form>
         <?php
@@ -257 +257 @@
     {
         $app =& App::getInstance();
-    
+
         if (array_key_exists($param, $this->_params)) {
             return $this->_params[$param];

trunk/lib/Utilities.inc.php

@@ -319 +319 @@
             // Remove http schemas, and any single trailing / to make the display URL.
             $display_url = preg_replace(['!^https?://!u', '!^([^/]+)/$!u'], ['', '$1'], $url);
-            return sprintf('<a href="%s">%s</a>', oTxt($absolute_url), $display_url);
+            return sprintf('<a href="%s">%s</a>', oTxt($absolute_url), oTxt($display_url));
         } else {
             // Truncated URL.
             // Remove http schemas, and any single trailing / to make the display URL.
             $display_url = preg_replace(['!^https?://!u', '!^([^/]+)/$!u'], ['', '$1'], trim($truncated_url));
-            return sprintf('<a href="%s">%s%s</a>', oTxt($absolute_url), $display_url, $delim);
+            return sprintf('<a href="%s">%s%s</a>', oTxt($absolute_url), oTxt($display_url), $delim);
         }
     }, $text);
@@ -349 +349 @@
         if ('' != trim($w)) {
             $search[] = '/\b(' . preg_quote($w) . ')\b/i' . $app->getParam('preg_u');
-            $replace[] = '<span class="' . $class . '">$1</span>';
+            $replace[] = '<span class="' . oTxt($class) . '">$1</span>';
         }
     }