mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-29 11:23:54 +01:00
fixed handling of links with params containing '&', replaced htmlentities with htmlspecialchars
This commit is contained in:
parent
a349603673
commit
1589da187d
@ -47,9 +47,9 @@ class html
|
|||||||
{
|
{
|
||||||
$arr = array('no','yes');
|
$arr = array('no','yes');
|
||||||
}
|
}
|
||||||
if (0+$multiple > 0)
|
if (intval($multiple) > 0)
|
||||||
{
|
{
|
||||||
$options .= ' MULTIPLE SIZE="'.(0+$multiple).'"';
|
$options .= ' MULTIPLE SIZE="'.intval($multiple).'"';
|
||||||
if (substr($name,-2) != '[]')
|
if (substr($name,-2) != '[]')
|
||||||
{
|
{
|
||||||
$name .= '[]';
|
$name .= '[]';
|
||||||
@ -61,9 +61,10 @@ class html
|
|||||||
{
|
{
|
||||||
$key = implode(',',$key);
|
$key = implode(',',$key);
|
||||||
}
|
}
|
||||||
while (list($k,$text) = each($arr))
|
foreach($arr as $k => $text)
|
||||||
{
|
{
|
||||||
$out .= '<option value="'.htmlspecialchars($k).'"';
|
$out .= '<option value="'.htmlspecialchars($k).'"';
|
||||||
|
|
||||||
if("$k" == "$key" || strstr(",$key,",",$k,"))
|
if("$k" == "$key" || strstr(",$key,",",$k,"))
|
||||||
{
|
{
|
||||||
$out .= " SELECTED";
|
$out .= " SELECTED";
|
||||||
@ -86,9 +87,12 @@ class html
|
|||||||
{
|
{
|
||||||
$vars = array( $vars => $value );
|
$vars = array( $vars => $value );
|
||||||
}
|
}
|
||||||
while (list($name,$value) = each($vars))
|
foreach($vars as $name => $value)
|
||||||
{
|
{
|
||||||
if (is_array($value)) $value = serialize($value);
|
if (is_array($value))
|
||||||
|
{
|
||||||
|
$value = serialize($value);
|
||||||
|
}
|
||||||
if (!$ignore_empty || $value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars
|
if (!$ignore_empty || $value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars
|
||||||
{
|
{
|
||||||
$html .= "<INPUT TYPE=\"HIDDEN\" NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\">\n";
|
$html .= "<INPUT TYPE=\"HIDDEN\" NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\">\n";
|
||||||
@ -104,8 +108,10 @@ class html
|
|||||||
|
|
||||||
function input($name,$value='',$type='',$options='' )
|
function input($name,$value='',$type='',$options='' )
|
||||||
{
|
{
|
||||||
if ($type) $type = 'TYPE="'.$type.'"';
|
if ($type)
|
||||||
|
{
|
||||||
|
$type = 'TYPE="'.$type.'"';
|
||||||
|
}
|
||||||
return "<INPUT $type NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\" $options>\n";
|
return "<INPUT $type NAME=\"$name\" VALUE=\"".htmlspecialchars($value)."\" $options>\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -113,7 +119,10 @@ class html
|
|||||||
{
|
{
|
||||||
if ($image != '')
|
if ($image != '')
|
||||||
{
|
{
|
||||||
if (strpos($image,'.')) $image = substr($image,0,strpos($image,'.'));
|
if (strpos($image,'.'))
|
||||||
|
{
|
||||||
|
$image = substr($image,0,strpos($image,'.'));
|
||||||
|
}
|
||||||
if (!($path = $GLOBALS['phpgw']->common->image($app,$image)) &&
|
if (!($path = $GLOBALS['phpgw']->common->image($app,$image)) &&
|
||||||
!($path = $GLOBALS['phpgw']->common->image('phpgwapi',$image)))
|
!($path = $GLOBALS['phpgw']->common->image('phpgwapi',$image)))
|
||||||
{
|
{
|
||||||
@ -159,23 +168,15 @@ class html
|
|||||||
*/
|
*/
|
||||||
function link($url,$vars='')
|
function link($url,$vars='')
|
||||||
{
|
{
|
||||||
if (is_array( $vars ))
|
if (!is_array($vars))
|
||||||
{
|
{
|
||||||
$v = array( );
|
$vars = explode('&',$vars);
|
||||||
while(list($name,$value) = each($vars))
|
|
||||||
{
|
|
||||||
if ($value && !($name == 'filter' && $value == 'none')) // dont need to send all the empty vars
|
|
||||||
{
|
|
||||||
$v[] = "$name=$value";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$vars = implode('&',$v);
|
|
||||||
}
|
}
|
||||||
list($url,$v) = explode('?',$url); // url may contain additional vars
|
list($url,$v) = explode('?',$url); // url may contain additional vars
|
||||||
if ($url == '') $url = '/index.php';
|
|
||||||
if ($v)
|
if ($v)
|
||||||
$vars .= ($vars ? '&' : '') . $v;
|
{
|
||||||
|
$vars += explode('&',$v);
|
||||||
|
}
|
||||||
return $GLOBALS['phpgw']->link($url,$vars);
|
return $GLOBALS['phpgw']->link($url,$vars);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -189,18 +190,18 @@ class html
|
|||||||
$html = "<form method=\"$method\" ".($name != '' ? "name=\"$name\" " : '')."action=\"".$this->link($url,$url_vars)."\" $options>\n";
|
$html = "<form method=\"$method\" ".($name != '' ? "name=\"$name\" " : '')."action=\"".$this->link($url,$url_vars)."\" $options>\n";
|
||||||
$html .= $this->input_hidden($hidden_vars);
|
$html .= $this->input_hidden($hidden_vars);
|
||||||
|
|
||||||
if ($content) {
|
if ($content)
|
||||||
|
{
|
||||||
$html .= $content;
|
$html .= $content;
|
||||||
$html .= "</form>\n";
|
$html .= "</form>\n";
|
||||||
}
|
}
|
||||||
return $html;
|
return $html;
|
||||||
}
|
}
|
||||||
|
|
||||||
function form_1button($name,$lang,$hidden_vars,$url,$url_vars='',
|
function form_1button($name,$lang,$hidden_vars,$url,$url_vars='',$form_name='',$method='POST')
|
||||||
$form_name='',$method='POST')
|
|
||||||
{
|
{
|
||||||
return $this->form($this->submit_button($name,$lang),
|
return $this->form($this->submit_button($name,$lang),
|
||||||
$hidden_vars,$url,$url_vars,$form_name,'',$method);
|
$hidden_vars,$url,$url_vars,$form_name,'',$method);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*!
|
/*!
|
||||||
@ -219,26 +220,39 @@ class html
|
|||||||
{
|
{
|
||||||
$html = $no_table_tr ? '' : "<TABLE $options>\n";
|
$html = $no_table_tr ? '' : "<TABLE $options>\n";
|
||||||
|
|
||||||
while (list($key,$row) = each($rows)) {
|
foreach($rows as $key => $row)
|
||||||
|
{
|
||||||
if (!is_array($row))
|
if (!is_array($row))
|
||||||
|
{
|
||||||
continue; // parameter
|
continue; // parameter
|
||||||
|
}
|
||||||
$html .= $no_table_tr && $key == 1 ? '' : "\t<TR ".$rows['.'.$key].">\n";
|
$html .= $no_table_tr && $key == 1 ? '' : "\t<TR ".$rows['.'.$key].">\n";
|
||||||
while (list($key,$cell) = each($row)) {
|
|
||||||
|
foreach($row as $key => $cell)
|
||||||
|
{
|
||||||
if ($key[0] == '.')
|
if ($key[0] == '.')
|
||||||
|
{
|
||||||
continue; // parameter
|
continue; // parameter
|
||||||
|
}
|
||||||
$table_pos = strpos($cell,'<TABLE');
|
$table_pos = strpos($cell,'<TABLE');
|
||||||
$td_pos = strpos($cell,'<TD');
|
$td_pos = strpos($cell,'<TD');
|
||||||
if ($td_pos !== False && ($table_pos === False || $td_pos < $table_pos))
|
if ($td_pos !== False && ($table_pos === False || $td_pos < $table_pos))
|
||||||
|
{
|
||||||
$html .= $cell;
|
$html .= $cell;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
|
{
|
||||||
$html .= "\t\t<TD ".$row['.'.$key].">$cell</TD>\n";
|
$html .= "\t\t<TD ".$row['.'.$key].">$cell</TD>\n";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
$html .= "\t</TR>\n";
|
$html .= "\t</TR>\n";
|
||||||
}
|
}
|
||||||
$html .= "</TABLE>\n";
|
$html .= "</TABLE>\n";
|
||||||
if ($no_table_tr)
|
|
||||||
$html = substr($html,0,-16);
|
|
||||||
|
|
||||||
|
if ($no_table_tr)
|
||||||
|
{
|
||||||
|
$html = substr($html,0,-16);
|
||||||
|
}
|
||||||
return $html;
|
return $html;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -269,7 +283,7 @@ class html
|
|||||||
}
|
}
|
||||||
if ($title)
|
if ($title)
|
||||||
{
|
{
|
||||||
$options .= " $this->prefered_img_title=\"".htmlentities($title).'"';
|
$options .= " $this->prefered_img_title=\"".htmlspecialchars($title).'"';
|
||||||
}
|
}
|
||||||
return "<IMG SRC=\"$path\" $options>";
|
return "<IMG SRC=\"$path\" $options>";
|
||||||
}
|
}
|
||||||
@ -277,8 +291,9 @@ class html
|
|||||||
function a_href( $content,$url,$vars='',$options='')
|
function a_href( $content,$url,$vars='',$options='')
|
||||||
{
|
{
|
||||||
if (!strstr($url,'/') && count(explode('.',$url)) == 3)
|
if (!strstr($url,'/') && count(explode('.',$url)) == 3)
|
||||||
|
{
|
||||||
$url = "/index.php?menuaction=$url";
|
$url = "/index.php?menuaction=$url";
|
||||||
|
}
|
||||||
if (is_array($url))
|
if (is_array($url))
|
||||||
{
|
{
|
||||||
$vars = $url;
|
$vars = $url;
|
||||||
|
Loading…
Reference in New Issue
Block a user