From 141ff78bbcf9797f4ea9fa36bdbe168dbfcc4665 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Tue, 4 Feb 2014 08:40:42 +0000
Subject: [PATCH] missing quoting in editing users and groups

---
 admin/inc/class.uiaccounts.inc.php | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/admin/inc/class.uiaccounts.inc.php b/admin/inc/class.uiaccounts.inc.php
index 2c2219deb9..e694e5fd3b 100755
--- a/admin/inc/class.uiaccounts.inc.php
+++ b/admin/inc/class.uiaccounts.inc.php
@@ -942,9 +942,9 @@
 			accounts::cache_invalidate((int)$_GET['account_id']);
 			$userData = $GLOBALS['egw']->accounts->read((int)$_GET['account_id'],'u');
 
-			$var['account_lid']       = $userData['account_lid'];
-			$var['account_firstname'] = $userData['firstname'];
-			$var['account_lastname']  = $userData['lastname'];
+			$var['account_lid']       = html::htmlspecialchars($userData['account_lid']);
+			$var['account_firstname'] = html::htmlspecialchars($userData['firstname']);
+			$var['account_lastname']  = html::htmlspecialchars($userData['lastname']);
 
 			$acl =& CreateObject('phpgwapi.acl',(int)$_GET['account_id']);
 			$var['anonymous']         = $acl->check('anonymous',1,'phpgwapi') ? '&nbsp;&nbsp;X' : '&nbsp;';
@@ -1007,7 +1007,7 @@
 			{
 				while (list(,$group) = each($usergroups))
 				{
-					$group_names[] = $group['account_name'];
+					$group_names[] = html::htmlspecialchars($group['account_name']);
 				}
 				$var['groups_select'] = implode(', ',$group_names);
 			}
@@ -1130,7 +1130,7 @@
 				'form_action'       => $GLOBALS['egw']->link('/index.php','menuaction=admin.uiaccounts.'.($group_info['account_id']?'edit':'add').'_group'),
 				'hidden_vars'       => '<input type="hidden" name="account_id" value="' . $group_info['account_id'] . '">',
 				'lang_group_name'   => lang('group name'),
-				'group_name_value'  => $group_info['account_name'],
+				'group_name_value'  => html::htmlspecialchars($group_info['account_name']),
 				'lang_include_user' => lang('Select users for inclusion'),
 				'error'             => (!$_errors?'':'<center>'.common::error_list($_errors).'</center>'),
 				'lang_permissions'  => lang('Permissions this group has')
@@ -1376,9 +1376,10 @@
 			{
 				$lang_homedir = lang('home directory');
 				$lang_shell = lang('login shell');
-				$homedirectory = '<input name="homedirectory" id="homedirectory" value="'. ($_account_id?$userData['homedirectory']:$GLOBALS['egw_info']['server']['ldap_account_home'].$account_lid).'">';
+				$homedirectory = '<input name="homedirectory" id="homedirectory" value="'.
+						html::htmlspecialchars($_account_id?$userData['homedirectory']:$GLOBALS['egw_info']['server']['ldap_account_home'].$account_lid).'">';
 				$loginshell = '<input name="loginshell" value="'
-					. ($_account_id?$userData['loginshell']:$GLOBALS['egw_info']['server']['ldap_account_shell'])
+					. html::htmlspecialchars($_account_id?$userData['loginshell']:$GLOBALS['egw_info']['server']['ldap_account_shell'])
 					. '">';
 			}
 			else
@@ -1439,9 +1440,12 @@
 				'changepassword'	=> '<input type="checkbox" name="changepassword" value="1"'.($userData['changepassword'] ? ' checked' : '').'>',
 				'mustchangepassword'    => '<input type="checkbox" name="mustchangepassword" value="1"'.($userData['mustchangepassword'] ? ' checked' : '').'>',
 				'account_status'    => '<input type="checkbox" name="account_status" value="A"'.($userData['account_status']?' checked':'').'>',
-				'account_firstname' => '<input id="firstname" onchange="check_account_email(this.id);" name="account_firstname" maxlength="50" value="' . $userData['account_firstname'] . '">',
-				'account_lastname'  => '<input id="lastname" onchange="check_account_email(this.id);" name="account_lastname" maxlength="50" value="' . $userData['account_lastname'] . '">',
-				'account_email'     => '<input id="email" onchange="email_set=0; check_account_email(this.id);" name="account_email" size="32" maxlength="100" value="' . $userData['account_email'] . '">',
+				'account_firstname' => '<input id="firstname" onchange="check_account_email(this.id);" name="account_firstname" maxlength="50" value="' .
+					html::htmlspecialchars($userData['account_firstname']) . '">',
+				'account_lastname'  => '<input id="lastname" onchange="check_account_email(this.id);" name="account_lastname" maxlength="50" value="' .
+					html::htmlspecialchars($userData['account_lastname']) . '">',
+				'account_email'     => '<input id="email" onchange="email_set=0; check_account_email(this.id);" name="account_email" size="32" maxlength="100" value="' .
+					html::htmlspecialchars($userData['account_email']) . '">',
 				'account_passwd'    => $userData['account_passwd'],
 				'account_passwd_2'  => $userData['account_passwd_2'],
 				'account_file_space' => $account_file_space,
@@ -1486,7 +1490,7 @@
 				{
 					$primary_group_select .= ' selected="1"';
 				}
-				$primary_group_select .= '>' . $value['account_lid'] . '</option>'."\n";
+				$primary_group_select .= '>' . html::htmlspecialchars($value['account_lid']) . '</option>'."\n";
 			}
 			//prepare the userGroups Array for use with the checkbox-multiselect use -> selarray
 			$selarray=array();