fixed handling of links with params containing '&', replaced htmlentities with htmlspecialchars

This commit is contained in:
Ralf Becker 2003-07-06 11:01:16 +00:00
parent a349603673
commit 1589da187d

View File

@ -47,9 +47,9 @@ class html
{ {
$arr = array('no','yes'); $arr = array('no','yes');
} }
if (0+$multiple > 0) if (intval($multiple) > 0)
{ {
$options .= ' MULTIPLE SIZE="'.(0+$multiple).'"'; $options .= ' MULTIPLE SIZE="'.intval($multiple).'"';
if (substr($name,-2) != '[]') if (substr($name,-2) != '[]')
{ {
$name .= '[]'; $name .= '[]';
@ -61,9 +61,10 @@ class html
{ {
$key = implode(',',$key); $key = implode(',',$key);
} }
while (list($k,$text) = each($arr)) foreach($arr as $k => $text)
{ {
$out .= '<option value="'.htmlspecialchars($k).'"'; $out .= '<option value="'.htmlspecialchars($k).'"';
if("$k" == "$key" || strstr(",$key,",",$k,")) if("$k" == "$key" || strstr(",$key,",",$k,"))
{ {
$out .= " SELECTED"; $out .= " SELECTED";
@ -86,9 +87,12 @@ class html
{ {
$vars = array( $vars => $value ); $vars = array( $vars => $value );
} }
while (list($name,$value) = each($vars)) foreach($vars as $name => $value)
{ {
if (is_array($value)) $value = serialize($value); if (is_array($value))
{
$value = serialize($value);
}
if (!$ignore_empty || $value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars if (!$ignore_empty || $value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars
{ {
$html .= "<INPUT TYPE=\"HIDDEN\" NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\">\n"; $html .= "<INPUT TYPE=\"HIDDEN\" NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\">\n";
@ -104,8 +108,10 @@ class html
function input($name,$value='',$type='',$options='' ) function input($name,$value='',$type='',$options='' )
{ {
if ($type) $type = 'TYPE="'.$type.'"'; if ($type)
{
$type = 'TYPE="'.$type.'"';
}
return "<INPUT $type NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\" $options>\n"; return "<INPUT $type NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\" $options>\n";
} }
@ -113,7 +119,10 @@ class html
{ {
if ($image != '') if ($image != '')
{ {
if (strpos($image,'.')) $image = substr($image,0,strpos($image,'.')); if (strpos($image,'.'))
{
$image = substr($image,0,strpos($image,'.'));
}
if (!($path = $GLOBALS['phpgw']->common->image($app,$image)) && if (!($path = $GLOBALS['phpgw']->common->image($app,$image)) &&
!($path = $GLOBALS['phpgw']->common->image('phpgwapi',$image))) !($path = $GLOBALS['phpgw']->common->image('phpgwapi',$image)))
{ {
@ -159,23 +168,15 @@ class html
*/ */
function link($url,$vars='') function link($url,$vars='')
{ {
if (is_array( $vars )) if (!is_array($vars))
{ {
$v = array( ); $vars = explode('&',$vars);
while(list($name,$value) = each($vars))
{
if ($value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars
{
$v[] = "$name=$value";
}
}
$vars = implode('&',$v);
} }
list($url,$v) = explode('?',$url); // url may contain additional vars list($url,$v) = explode('?',$url); // url may contain additional vars
if ($url == '') $url = '/index.php';
if ($v) if ($v)
$vars .= ($vars ? '&' : '') . $v; {
$vars += explode('&',$v);
}
return $GLOBALS['phpgw']->link($url,$vars); return $GLOBALS['phpgw']->link($url,$vars);
} }
@ -189,18 +190,18 @@ class html
$html = "<form method=\"$method\" ".($name != '' ? "name=\"$name\" " : '')."action=\"".$this->link($url,$url_vars)."\" $options>\n"; $html = "<form method=\"$method\" ".($name != '' ? "name=\"$name\" " : '')."action=\"".$this->link($url,$url_vars)."\" $options>\n";
$html .= $this->input_hidden($hidden_vars); $html .= $this->input_hidden($hidden_vars);
if ($content) { if ($content)
{
$html .= $content; $html .= $content;
$html .= "</form>\n"; $html .= "</form>\n";
} }
return $html; return $html;
} }
function form_1button($name,$lang,$hidden_vars,$url,$url_vars='', function form_1button($name,$lang,$hidden_vars,$url,$url_vars='',$form_name='',$method='POST')
$form_name='',$method='POST')
{ {
return $this->form($this->submit_button($name,$lang), return $this->form($this->submit_button($name,$lang),
$hidden_vars,$url,$url_vars,$form_name,'',$method); $hidden_vars,$url,$url_vars,$form_name,'',$method);
} }
/*! /*!
@ -219,26 +220,39 @@ class html
{ {
$html = $no_table_tr ? '' : "<TABLE $options>\n"; $html = $no_table_tr ? '' : "<TABLE $options>\n";
while (list($key,$row) = each($rows)) { foreach($rows as $key => $row)
{
if (!is_array($row)) if (!is_array($row))
{
continue; // parameter continue; // parameter
}
$html .= $no_table_tr && $key == 1 ? '' : "\t<TR ".$rows['.'.$key].">\n"; $html .= $no_table_tr && $key == 1 ? '' : "\t<TR ".$rows['.'.$key].">\n";
while (list($key,$cell) = each($row)) {
foreach($row as $key => $cell)
{
if ($key[0] == '.') if ($key[0] == '.')
{
continue; // parameter continue; // parameter
}
$table_pos = strpos($cell,'<TABLE'); $table_pos = strpos($cell,'<TABLE');
$td_pos = strpos($cell,'<TD'); $td_pos = strpos($cell,'<TD');
if ($td_pos !== False && ($table_pos === False || $td_pos < $table_pos)) if ($td_pos !== False && ($table_pos === False || $td_pos < $table_pos))
{
$html .= $cell; $html .= $cell;
}
else else
{
$html .= "\t\t<TD ".$row['.'.$key].">$cell</TD>\n"; $html .= "\t\t<TD ".$row['.'.$key].">$cell</TD>\n";
}
} }
$html .= "\t</TR>\n"; $html .= "\t</TR>\n";
} }
$html .= "</TABLE>\n"; $html .= "</TABLE>\n";
if ($no_table_tr)
$html = substr($html,0,-16);
if ($no_table_tr)
{
$html = substr($html,0,-16);
}
return $html; return $html;
} }
@ -269,7 +283,7 @@ class html
} }
if ($title) if ($title)
{ {
$options .= " $this->prefered_img_title=\"".htmlentities($title).'"'; $options .= " $this->prefered_img_title=\"".htmlspecialchars($title).'"';
} }
return "<IMG SRC=\"$path\" $options>"; return "<IMG SRC=\"$path\" $options>";
} }
@ -277,8 +291,9 @@ class html
function a_href( $content,$url,$vars='',$options='') function a_href( $content,$url,$vars='',$options='')
{ {
if (!strstr($url,'/') && count(explode('.',$url)) == 3) if (!strstr($url,'/') && count(explode('.',$url)) == 3)
{
$url = "/index.php?menuaction=$url"; $url = "/index.php?menuaction=$url";
}
if (is_array($url)) if (is_array($url))
{ {
$vars = $url; $vars = $url;