[Mrbs-commits] SF.net SVN: mrbs:[1109] mrbs/trunk/web/edit_entry.php

Wed, 13 May 2009 14:45:15 -0700 

Revision: 1109
          http://mrbs.svn.sourceforge.net/mrbs/?rev=1109&view=rev
Author:   cimorrison
Date:     2009-05-13 21:45:04 +0000 (Wed, 13 May 2009)

Log Message:
-----------
Added escaping (HTML and JavaScript) to prevent errors when room names contain 
characters that look like HTML (eg '<i>Large</i> Room')

Modified Paths:
--------------
    mrbs/trunk/web/edit_entry.php

Modified: mrbs/trunk/web/edit_entry.php
===================================================================
--- mrbs/trunk/web/edit_entry.php       2009-05-13 15:55:16 UTC (rev 1108)
+++ mrbs/trunk/web/edit_entry.php       2009-05-13 21:45:04 UTC (rev 1109)
@@ -609,8 +609,9 @@
               {
                 for ($j = 0; ($row2 = sql_row_keyed($res2, $j)); $j++)
                 {
-                  $clean_room_name = str_replace('\\', '\\\\', 
$row2['room_name']);
-                  $clean_room_name = str_replace('"', '\\"', $clean_room_name);
+                  $clean_room_name = str_replace('\\', '\\\\', 
$row2['room_name']);  // escape backslash
+                  $clean_room_name = str_replace('"', '\\"', 
$clean_room_name);      // escape double quotes
+                  $clean_room_name = str_replace('/', '\\/', 
$clean_room_name);      // prevent '/' being parsed as markup (eg </p>)
                   print "        roomsObj.options[$j] = new 
Option(\"".$clean_room_name."\",".$row2['id'] .");\n";
                 }
                 // select the first entry by default to ensure
@@ -676,7 +677,7 @@
             {
               $selected = "selected=\"selected\"";
             }
-            echo "              <option $selected 
value=\"".$row['id']."\">".$row['room_name']."</option>\n";
+            echo "              <option $selected value=\"" . $row['id'] . 
"\">" . htmlspecialchars($row['room_name']) . "</option>\n";
             // store room names for emails
             $room_names[$i] = $row['room_name'];
           }


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to