Revision: 2705
https://sourceforge.net/p/mrbs/code/2705/
Author: tbleher
Date: 2013-02-20 06:30:57 +0000 (Wed, 20 Feb 2013)
Log Message:
-----------
Allow html entities in the names of entry types
Change as discussed on the following mailing list thread:
Double or missing htmlspecialchars()
Modified Paths:
--------------
mrbs/branches/linked_bookings/web/edit_entry.php
mrbs/branches/linked_bookings/web/functions.inc
mrbs/branches/linked_bookings/web/report.php
Modified: mrbs/branches/linked_bookings/web/edit_entry.php
===================================================================
--- mrbs/branches/linked_bookings/web/edit_entry.php 2013-02-16 12:22:18 UTC
(rev 2704)
+++ mrbs/branches/linked_bookings/web/edit_entry.php 2013-02-20 06:30:57 UTC
(rev 2705)
@@ -523,6 +523,7 @@
'disabled' => $disabled,
'options' => array(),
'force_assoc' => TRUE, // in case the type keys happen to
be digits
+ 'text_escaped' => TRUE, // text comes from get_type_vocab
and is trusted and pre-escaped
'value' => $type);
foreach ($booking_types as $key)
Modified: mrbs/branches/linked_bookings/web/functions.inc
===================================================================
--- mrbs/branches/linked_bookings/web/functions.inc 2013-02-16 12:22:18 UTC
(rev 2704)
+++ mrbs/branches/linked_bookings/web/functions.inc 2013-02-20 06:30:57 UTC
(rev 2705)
@@ -1009,11 +1009,13 @@
// casts the keys to integers and the array becomes a
simple array)
// 'value' The value of the input. Default ''. Can be a
single value
// or an array of values.
+// 'text_escaped' Boolean. If TRUE, the text given is treated as
already escaped,
+// and not escaped again. Default is FALSE.
//
function generate_options($params)
{
// some sanity checking on params
- foreach (array('options', 'force_assoc', 'value') as $key)
+ foreach (array('options', 'force_assoc', 'value', 'text_escaped') as $key)
{
if (!isset($params[$key]))
{
@@ -1024,6 +1026,7 @@
$params[$key] = array();
break;
case 'force_assoc':
+ case 'text_escaped':
$params[$key] = FALSE;
break;
default:
@@ -1043,7 +1046,10 @@
}
$html .= "<option value=\"" . htmlspecialchars($value) . "\"";
$html .= (in_array($value, $params['value'])) ? " selected=\"selected\"" :
'';
- $html .= ">".htmlspecialchars($text)."</option>\n";
+ if ($params['text_escaped'])
+ $html .= ">".$text."</option>\n";
+ else
+ $html .= ">".htmlspecialchars($text)."</option>\n";
}
return $html;
@@ -1079,11 +1085,14 @@
// 'multiple' Whether multiple selections are allowed. Default
FALSE
// 'attributes' Additional attributes not covered explicitly above.
Default NULL.
// Can be either a simple string or an array of
attributes.
+// 'text_escaped' Boolean. If TRUE, the text given for inside the
select
+// is treated as already escaped, and not escaped
again. Default is
+// FALSE.
//
function generate_select($params)
{
// some sanity checking on params
- foreach (array('label', 'label_title', 'name', 'id', 'options',
'force_assoc',
+ foreach (array('label', 'label_title', 'name', 'id', 'options',
'force_assoc', 'text_escaped',
'value', 'size', 'disabled', 'create_hidden', 'mandatory',
'multiple', 'attributes') as $key)
{
@@ -1110,6 +1119,7 @@
case 'disabled':
case 'mandatory':
case 'multiple':
+ case 'text_escaped':
$params[$key] = FALSE;
break;
case 'create_hidden':
@@ -1179,6 +1189,7 @@
if (count($params['options']) > 0)
{
$options_params = array('force_assoc' => $params['force_assoc'],
+ 'text_escaped' => $params['text_escaped'],
'value' => $params['value']);
// If it's a two dimensional array then we've got option groups,
// but don't bother displaying the option group if there's only
Modified: mrbs/branches/linked_bookings/web/report.php
===================================================================
--- mrbs/branches/linked_bookings/web/report.php 2013-02-16 12:22:18 UTC
(rev 2704)
+++ mrbs/branches/linked_bookings/web/report.php 2013-02-20 06:30:57 UTC
(rev 2705)
@@ -85,6 +85,7 @@
'id' => 'typematch',
'options' => $options,
'force_assoc' => TRUE, // in case the type keys
happen to be digits
+ 'text_escaped' => TRUE, // text comes from
get_type_vocab and is trusted and pre-escaped
'value' => $vars['typematch'],
'multiple' => TRUE,
'attributes' => 'size="5"');
@@ -348,16 +349,20 @@
// Escape a string for output
-function escape($string)
+function escape($string, $already_html_encoded = FALSE)
{
global $output_format;
switch ($output_format)
{
case OUTPUT_HTML:
- $string = mrbs_nl2br(htmlspecialchars($string));
+ if (!$already_html_encoded)
+ $string = htmlspecialchars($string);
+ $string = mrbs_nl2br($string);
break;
case OUTPUT_CSV:
+ if ($already_html_encoded)
+ $string = html_entity_decode($string, ENT_QUOTES|ENT_HTML5, 'UTF-8');
$string = str_replace('"', '""', $string);
break;
default: // do nothing
@@ -659,6 +664,7 @@
foreach ($field_order_list as $field)
{
$value = $data[$field];
+ $html_encoded = FALSE;
// Some fields need some special processing to turn the raw value into
something
// more meaningful
@@ -687,6 +693,7 @@
break;
case 'type':
$value = get_type_vocab($value);
+ $html_encoded = TRUE;
break;
case 'confirmation_enabled':
// Translate the status field bit into meaningful text
@@ -745,7 +752,7 @@
}
break;
}
- $value = escape($value);
+ $value = escape($value, $html_encoded);
// For HTML output we take special action for some fields
if ($output_format == OUTPUT_HTML)
@@ -796,6 +803,7 @@
function get_sumby_name_from_row(&$row)
{
global $sumby;
+ $html_encoded = FALSE;
// Use brief description, created by or type as the name:
switch( $sumby )
@@ -805,13 +813,14 @@
break;
case 't':
$name = get_type_vocab($row['type']);
+ $html_encoded = TRUE;
break;
case 'c':
default:
$name = $row['create_by'];
break;
}
- return escape($name);
+ return escape($name, $html_encoded);
}
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
