From 4084f0a33b80682b87697fa70709ae07cd27ab21 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Tue, 4 Oct 2016 22:45:41 +0200 Subject: [PATCH] Prevent
tag from being displayed literally --- www/editentity.php | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/www/editentity.php b/www/editentity.php index 958d1888..7075cd21 100644 --- a/www/editentity.php +++ b/www/editentity.php @@ -163,7 +163,7 @@ function markForUpdate() } else { if ($entity->setEntityid($_POST['entityid'])) { markForUpdate(); - $note .= 'Changed entityID: ' . $_POST['entityid'] . '
'; + $note .= 'Changed entityID: ' . htmlspecialchars($_POST['entityid']) . '
'; $addresses[] = 'ENTITYUPDATE-' . $eid . '-CHANGEENTITYID'; } } @@ -176,7 +176,7 @@ function markForUpdate() if (isset($_POST['notes']) && $securityContext->isGranted('changeentityid', $entity)) { if ($entity->setNotes($_POST['notes'])) { markForUpdate(); - $note .= 'Changed notes: ' . $_POST['notes'] . '
'; + $note .= 'Changed notes: ' . htmlspecialchars($_POST['notes']) . '
'; $addresses[] = 'ENTITYUPDATE-' . $eid . '-CHANGENOTES'; } } @@ -194,7 +194,7 @@ function markForUpdate() } if ($entityController->addMetadata($k, $v)) { markForUpdate(); - $note .= 'Metadata added: ' . $k . ' => ' . $v . '
'; + $note .= 'Metadata added: ' . htmlspecialchars($k . ' => ' . $v) . '
'; } } } @@ -218,7 +218,7 @@ function markForUpdate() if ($entityController->updateMetadata($newkey, $value)) { markForUpdate(); - $note .= 'Metadata edited: ' . $newkey . ' => ' . $value . '
'; + $note .= 'Metadata edited: ' . htmlspecialchars($newkey . ' => ' . $value) . '
'; } } } @@ -230,7 +230,7 @@ function markForUpdate() foreach ($_POST['delete-metadata'] AS $data) { if ($entityController->removeMetadata($data)) { markForUpdate(); - $note .= 'Metadata deleted: ' . $data . '
'; + $note .= 'Metadata deleted: ' . htmlspecialchars($data) . '
'; } } } @@ -241,13 +241,13 @@ function markForUpdate() if (!empty($_POST['meta_url'])) { if ($entityController->setMetadataURL($_POST['meta_url'])) { markForUpdate(); - $note .= 'Metadata URL set: ' . $_POST['meta_url'] . '
'; + $note .= 'Metadata URL set: ' . htmlspecialchars($_POST['meta_url']) . '
'; } try { $res = @file_get_contents($_POST['meta_url']); if ($res) { $_POST['meta_xml'] = $res; - $note .= 'Import metadata from URL: ' . $_POST['meta_url'] . '
'; + $note .= 'Import metadata from URL: ' . htmlspecialchars($_POST['meta_url']) . '
'; } else { $msg = 'error_import_metadata_url'; } @@ -309,7 +309,7 @@ function convert_stdobject_to_array($object) if (isset($_POST['add-consent'])) { foreach ($_POST['add-consent'] AS $key) { if ($entityController->addDisableConsent($key)) { - $note .= 'Consent disabled for: ' . $key . '
'; + $note .= 'Consent disabled for: ' . htmlspecialchars($key) . '
'; } } } @@ -324,7 +324,7 @@ function convert_stdobject_to_array($object) foreach ($_POST['addBlocked'] AS $key) { if ($entityController->addBlockedEntity($key)) { markForUpdate(); - $note .= 'Remote entity added: ' . $key . '
'; + $note .= 'Remote entity added: ' . htmlspecialchars($key) . '
'; } } // Remove the ones that were, but are now no longer selected @@ -332,7 +332,7 @@ function convert_stdobject_to_array($object) if (!in_array($entityid, $_POST['addBlocked'])) { if ($entityController->removeBlockedEntity($entityid)) { markForUpdate(); - $note .= 'Existing entity removed: ' . $entityid . '
'; + $note .= 'Existing entity removed: ' . htmlspecialchars($entityid) . '
'; } } } @@ -354,7 +354,7 @@ function convert_stdobject_to_array($object) foreach ($_POST['addAllowed'] AS $key) { if ($entityController->addAllowedEntity($key)) { markForUpdate(); - $note .= 'Remote entity added: ' . $key . '
'; + $note .= 'Remote entity added: ' . htmlspecialchars($key) . '
'; } } // Remove the ones that were, but are now no longer selected @@ -362,7 +362,7 @@ function convert_stdobject_to_array($object) if (!in_array($entityid, $_POST['addAllowed'])) { if ($entityController->removeAllowedEntity($entityid)) { markForUpdate(); - $note .= 'Existing entity removed: ' . $entityid . '
'; + $note .= 'Existing entity removed: ' . htmlspecialchars($entityid) . '
'; } } } @@ -388,7 +388,7 @@ function convert_stdobject_to_array($object) if (isset($_POST['entity_workflow']) && $securityContext->isGranted('changeworkflow', $entity)) { if ($entity->setWorkflow($_POST['entity_workflow'])) { markForUpdate(); - $note .= 'Changed workflow: ' . $_POST['entity_workflow'] . '
'; + $note .= 'Changed workflow: ' . htmlspecialchars($_POST['entity_workflow']) . '
'; $addresses[] = 'ENTITYUPDATE-' . $eid . '-CHANGESTATE-' . $_POST['entity_workflow']; } } @@ -412,7 +412,7 @@ function convert_stdobject_to_array($object) if ($entity->setArpAttributes($arpAttributes)) { markForUpdate(); if (isset($originalPost['arp_attributes'])) { - $note .= 'Changed arpAttributes: ' . $originalPost['arp_attributes'] . '
'; + $note .= 'Changed arpAttributes: ' . htmlspecialchars($originalPost['arp_attributes']) . '
'; $addresses[] = 'ENTITYUPDATE-' . $eid . '-CHANGEARP-' . $originalPost['arp_attributes']; } } @@ -434,7 +434,7 @@ function convert_stdobject_to_array($object) if ((int)$returnCode === 0) { if ($entity->setManipulation($manipulationCode)) { markForUpdate(); - $note .= 'Changed manipulation: ' . $_POST['entity_manipulation'] . '
'; + $note .= 'Changed manipulation: ' . htmlspecialchars($_POST['entity_manipulation']) . '
'; $addresses[] = 'ENTITYUPDATE-' . $eid . '-CHANGEMANIPULATION-' . $_POST['entity_manipulation']; } } else { @@ -472,7 +472,7 @@ function convert_stdobject_to_array($object) } markForUpdate(); - $note .= 'Changed entity type: ' . $_POST['entity_type'] . '
'; + $note .= 'Changed entity type: ' . htmlspecialchars($_POST['entity_type']) . '
'; } // Set parent revision @@ -503,7 +503,7 @@ function convert_stdobject_to_array($object) 'Entity updated - ' . $entity->getEntityid(), 'Permalink: ' . htmlspecialchars($directlink) . '

' - . htmlspecialchars($entity->getRevisionnote()) . '

' . htmlspecialchars($note), + . htmlspecialchars($entity->getRevisionnote()) . '

' . $note, $addresses, $user->getUid() );