extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-08 00:54:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

- correctly quote single and double quotes in html element id's

Browse Source 
- correctly quote quotes in parameters of javascript functions used
  eg. as eventhandlers, eg. onchange="do_something('$cont[name]');"
  --> if $cont[name] is an array: do_something([ 'val1', 'val2' ]) is used
- correctly quote & in get parameters of url's
This commit is contained in:
Ralf Becker 2010-05-09 14:06:35 +00:00
parent 1caead5ea9
commit db23b1d746
2 changed files with 61 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
etemplate/inc/class.boetemplate.inc.php
View File

@ -157,7 +157,7 @@ class boetemplate extends soetemplate
static function expand_name($name,$c,$row,$c_='',$row_='',$cont='') static function expand_name($name,$c,$row,$c_='',$row_='',$cont='')
{ {
$is_index_in_content = $name[0] == '@'; $is_index_in_content = $name[0] == '@';
if (strpos($name,'$') !== false) if (($pos_var=strpos($name,'$')) !== false)
{ {
if (!$cont) if (!$cont)
{ {
@ -169,6 +169,43 @@ class boetemplate extends soetemplate
$row_cont = $cont[$row]; $row_cont = $cont[$row];
$col_row_cont = $cont[$col.$row]; $col_row_cont = $cont[$col.$row];
// check if name is enclosed in single quotes as argument eg. to an event handler --> quote contained quotes (' or ")
if ($name[$pos_var-1] == "'" && preg_match('/\'(\$[A-Za-z0-9_\[\]]+)\'/',$name,$matches))
{
eval('$value = '.$matches[1].';');
if (is_array($value))
{
foreach($value as &$val)
{
$val = "'".str_replace(array("'",'"'),array('\\\'','"'),$val)."'";
}
$value = '[ '.implode(', ',$value).' ]';
$name = str_replace("'".$matches[1]."'",$value,$name);
}
else
{
$value = str_replace(array("'",'"'),array('\\\'','"'),$value);
$name = str_replace($matches[1],$value,$name);
}
}
// check if name is assigned in an url --> urlendcode contained & as %26, as egw::link
if ($name[$pos_var-1] == '=' && preg_match('/&([A-Za-z0-9_\[\]]+)=(\$[A-Za-z0-9_\[\]]+)/',$name,$matches))
{
eval('$value = '.$matches[2].';');
if (is_array($value)) // works only reasonable, if get-parameter uses array notation, eg. &file[]=$cont[filenames]
{
foreach($value as &$val)
{
$val = str_replace('&',urlencode('&'),$val);
}
$name = str_replace($matches[2],implode('&'.$matches[1].'=',$value),$name);
}
else
{
$value = str_replace('&',urlencode('&'),$value);
$name = str_replace($matches[2],$value,$name);
}
}
eval('$name = "'.str_replace('"','\\"',$name).'";'); eval('$name = "'.str_replace('"','\\"',$name).'";');
} }
if ($is_index_in_content) if ($is_index_in_content)

38
etemplate/inc/class.etemplate.inc.php
View File

@ -432,7 +432,7 @@ class etemplate extends boetemplate
if (!$_POST && $_SERVER['REQUEST_METHOD'] == 'POST') if (!$_POST && $_SERVER['REQUEST_METHOD'] == 'POST')
{ {
$redirect['post_empty'] = 1; $redirect['post_empty'] = 1;
// check if we have a failed upload, because user tried to uploaded a file // check if we have a failed upload, because user tried to uploaded a file
// bigger then php.ini setting post_max_size // bigger then php.ini setting post_max_size
// in that case the webserver calls PHP with $_POST === array() // in that case the webserver calls PHP with $_POST === array()
if (substr($_SERVER['CONTENT_TYPE'],0,19) == 'multipart/form-data' && if (substr($_SERVER['CONTENT_TYPE'],0,19) == 'multipart/form-data' &&
@ -659,7 +659,7 @@ class etemplate extends boetemplate
// make the content availible as class-public for extensions // make the content availible as class-public for extensions
$this->content =& $content; $this->content =& $content;
$html = "\n\n<!-- BEGIN eTemplate $this->name -->\n<div id=\"$this->name\">\n\n"; $html = "\n\n<!-- BEGIN eTemplate $this->name -->\n<div id=\"".str_replace('"','&quot;',$this->name)."\">\n\n";
if (!self::$styles_included[$this->name]) if (!self::$styles_included[$this->name])
{ {
self::$styles_included[$this->name] = True; self::$styles_included[$this->name] = True;
@ -874,7 +874,7 @@ class etemplate extends boetemplate
$onclick = $this->expand_name($onclick,$c,$r,$content['.c'],$content['.row'],$content); $onclick = $this->expand_name($onclick,$c,$r,$content['.c'],$content['.row'],$content);
} }
$row_data[".$col"] .= ' onclick="'.$this->js_pseudo_funcs($onclick,$cname).'"' . $row_data[".$col"] .= ' onclick="'.$this->js_pseudo_funcs($onclick,$cname).'"' .
($cell['id'] ? ' id="'.$cell['id'].'"' : ''); ($cell['id'] ? ' id="'.str_replace('"','&quot;',$cell['id']).'"' : '');
} }
$colspan = $span == 'all' ? $grid['cols']-$c : 0+$span; $colspan = $span == 'all' ? $grid['cols']-$c : 0+$span;
if ($colspan > 1) if ($colspan > 1)
@ -1171,7 +1171,7 @@ class etemplate extends boetemplate
} }
if ($form_name != '') if ($form_name != '')
{ {
$options = 'id="'.($cell['id'] ? $cell['id'] : $form_name).'" '.$options; $options = 'id="'.str_replace('"','&quot;',$cell['id'] ? $cell['id'] : $form_name).'" '.$options;
} }
switch ($type) switch ($type)
{ {
@ -1374,7 +1374,7 @@ class etemplate extends boetemplate
{ {
$onclick = ($onclick ? preg_replace('/^return(.*);$/','if (\\1) ',$onclick) : ''). $onclick = ($onclick ? preg_replace('/^return(.*);$/','if (\\1) ',$onclick) : '').
(((string)$cell['onchange'] === '1' || $img) ? (((string)$cell['onchange'] === '1' || $img) ?
'return submitit('.self::$name_form.",'".addslashes($form_name)."');" : $cell['onchange']).'; return false;'; 'return submitit('.self::$name_form.",'".str_replace(array('"','\''),array('&quot','\\\''),$form_name)."');" : $cell['onchange']).'; return false;';
if (!html::$netscape4 && substr($img,-1) == '%' && is_numeric($percent = substr($img,0,-1))) if (!html::$netscape4 && substr($img,-1) == '%' && is_numeric($percent = substr($img,0,-1)))
{ {
@ -1601,7 +1601,7 @@ class etemplate extends boetemplate
} }
$html .= html::image($app,$img,strlen($label) > 1 && !$cell['no_lang'] ? lang($label) : $label, $html .= html::image($app,$img,strlen($label) > 1 && !$cell['no_lang'] ? lang($label) : $label,
'border="0"'.($imagemap?' usemap="#'.html::htmlspecialchars($imagemap).'"':''). 'border="0"'.($imagemap?' usemap="#'.html::htmlspecialchars($imagemap).'"':'').
($id || $value ? ' id="'.($id ? $id : $name).'"' : '')); ($id || $value ? ' id="'.str_replace('"','&quot;',$id ? $id : $name).'"' : ''));
$extra_label = False; $extra_label = False;
break; break;
case 'file': // size: size of the filename field case 'file': // size: size of the filename field
@ -1670,7 +1670,7 @@ class etemplate extends boetemplate
if (strlen($child['onclick']) > 1) if (strlen($child['onclick']) > 1)
{ {
$rows[$box_row]['.'.$box_col] .= ' onclick="'.$this->js_pseudo_funcs($child['onclick'],$cname).'"'. $rows[$box_row]['.'.$box_col] .= ' onclick="'.$this->js_pseudo_funcs($child['onclick'],$cname).'"'.
($child['id'] ? ' id="'.$child['id'].'"' : ''); ($child['id'] ? ' id="'.str_replace('"','&quot;',$child['id']).'"' : '');
} }
// allow to set further attributes in the tablecell, beside the class // allow to set further attributes in the tablecell, beside the class
if (is_array($cl)) if (is_array($cl))
@ -1693,7 +1693,7 @@ class etemplate extends boetemplate
{ {
$html = html::table($rows,html::formatOptions($cell_options,',,cellpadding,cellspacing'). $html = html::table($rows,html::formatOptions($cell_options,',,cellpadding,cellspacing').
($type != 'groupbox' ? html::formatOptions($class,'class'). ($type != 'groupbox' ? html::formatOptions($class,'class').
($cell['name'] ? ' id="'.$form_name.'"' : '') : ''). ($cell['name'] ? ' id="'.str_replace('"','&quot;',$form_name).'"' : '') : '').
($cell['align'] && $orient != 'horizontal' || $sub_cell_has_align ? ' width="100%"' : '')); // alignment only works if table has full width ($cell['align'] && $orient != 'horizontal' || $sub_cell_has_align ? ' width="100%"' : '')); // alignment only works if table has full width
if ($type != 'groupbox') $class = ''; // otherwise we create an extra div if ($type != 'groupbox') $class = ''; // otherwise we create an extra div
} }
@ -1708,7 +1708,7 @@ class etemplate extends boetemplate
{ {
$label = lang($label); $label = lang($label);
} }
$html = html::fieldset($html,$label,($cell['name'] ? ' id="'.$form_name.'"' : ''). $html = html::fieldset($html,$label,($cell['name'] ? ' id="'.str_replace('"','&quot;',$form_name).'"' : '').
($class ? ' class="'.$class.'"' : '')); ($class ? ' class="'.$class.'"' : ''));
$class = ''; // otherwise we create an extra div $class = ''; // otherwise we create an extra div
} }
@ -1972,8 +1972,10 @@ class etemplate extends boetemplate
} }
} }
if (preg_match_all("/form::name\\('([^']+)'\\)/",$on,$matches)) { if (preg_match_all("/form::name\\('([^']+)'\\)/",$on,$matches))
foreach($matches[1] as $n => $matche_name) { {
foreach($matches[1] as $n => $matche_name)
{
$matches[1][$n] = '\''.self::form_name($cname,$matche_name).'\''; $matches[1][$n] = '\''.self::form_name($cname,$matche_name).'\'';
} }
$on = str_replace($matches[0],$matches[1],$on); $on = str_replace($matches[0],$matches[1],$on);
@ -1993,18 +1995,24 @@ class etemplate extends boetemplate
$on = str_replace($matches[0],"'<style>".str_replace(array("\n","\r"),'',$tpl->style)."</style>'",$on); $on = str_replace($matches[0],"'<style>".str_replace(array("\n","\r"),'',$tpl->style)."</style>'",$on);
} }
} }
if (strpos($on,'confirm(') !== false && preg_match('/confirm\(["\']{1}(.*)["\']{1}\)/U',$on,$matches)) {
// translate messages in confirm()
if (strpos($on,'confirm(') !== false && preg_match('/confirm\(["\']{1}(.*)["\']{1}\)/U',$on,$matches))
{
$question = lang($matches[1]).(substr($matches[1],-1) != '?' ? '?' : ''); // add ? if not there, saves extra phrase $question = lang($matches[1]).(substr($matches[1],-1) != '?' ? '?' : ''); // add ? if not there, saves extra phrase
$on = str_replace($matches[0],'confirm(\''.str_replace("'","\\'",$question).'\')',$on); $on = str_replace($matches[0],'confirm(\''.str_replace("'","\\'",$question).'\')',$on);
} }
if (strpos($on,'window.open(') !== false && preg_match("/window.open\('(.*)','(.*)','dependent=yes,width=(.*),height=(.*),scrollbars=yes,status=(.*)'\)/",$on,$matches)) { // replace window.open() with EGw's egw_openWindowCentered2()
$on = str_replace($matches[0], "egw_openWindowCentered2('{$matches[1]}', '{$matches[2]}', '{$matches[3]}', '{$matches[4]}', '{$matches[5]}')", $on); if (strpos($on,'window.open(') !== false && preg_match("/window.open\('(.*)','(.*)','dependent=yes,width=(.*),height=(.*),scrollbars=yes,status=(.*)'\)/",$on,$matches))
{
$on = str_replace($matches[0], "egw_openWindowCentered2('$matches[1]', '$matches[2]', $matches[3], $matches[4], '$matches[5]')", $on);
} }
// replace xajax calls to code in widgets, with the "etemplate" handler, // replace xajax calls to code in widgets, with the "etemplate" handler,
// this allows to call widgets with the current app, otherwise everyone would need etemplate run rights // this allows to call widgets with the current app, otherwise everyone would need etemplate run rights
if (strpos($on,"xajax_doXMLHTTP('etemplate.") !== false) { if (strpos($on,"xajax_doXMLHTTP('etemplate.") !== false)
{
$on = preg_replace("/^xajax_doXMLHTTP\('etemplate\.([a-z]+_widget\.[a-zA-Z0-9_]+)\'/",'xajax_doXMLHTTP(\''.$GLOBALS['egw_info']['flags']['currentapp'].'.\\1.etemplate\'',$on); $on = preg_replace("/^xajax_doXMLHTTP\('etemplate\.([a-z]+_widget\.[a-zA-Z0-9_]+)\'/",'xajax_doXMLHTTP(\''.$GLOBALS['egw_info']['flags']['currentapp'].'.\\1.etemplate\'',$on);
} }