[Mrbs-commits] SF.net Hg: hg-code [fef4827b4456]: Changed the way that period n...

MRBS commits Sat, 11 Mar 2017 03:56:29 -0800

Changeset:
        fef4827b4456
        
https://sourceforge.net/p/mrbs/hg-code/ci/fef4827b44566bff9778c66b9566ae2008035dcf
Author:
        Campbell Morrison <[email protected]>
Date:
        Sat Mar 11 11:40:09 2017 +0000
Log message:


Changed the way that period names are defined so that they can now contain
special chars and are put through htmlspecialchars() before being output to
the browser.  (Previously the site administrator had to encode special chars).

diffstat:

 web/edit_entry.php         |   2 +-
 web/functions_mail.inc     |   7 ++-----
 web/functions_table.inc    |   6 +++---
 web/js/functions.js.php    |  16 ++++++++++++----
 web/month.php              |   4 ++--
 web/mrbs_sql.inc           |   2 +-
 web/pending.php            |   2 +-
 web/search.php             |   2 +-
 web/systemdefaults.inc.php |  10 ++++------
 9 files changed, 27 insertions(+), 24 deletions(-)

diffs (178 lines):

diff -r 4667e94f6722 -r fef4827b4456 web/edit_entry.php
--- a/web/edit_entry.php        Sat Mar 11 11:00:30 2017 +0000
+++ b/web/edit_entry.php        Sat Mar 11 11:40:09 2017 +0000
@@ -177,7 +177,7 @@
   {
     if ($area['enable_periods'])
     {
-      $options[$s] = mrbs_entity_decode($periods[intval(($s-$base)/60)]);
+      $options[$s] = $periods[intval(($s-$base)/60)];
     }
     else
     {
diff -r 4667e94f6722 -r fef4827b4456 web/functions_mail.inc
--- a/web/functions_mail.inc    Sat Mar 11 11:00:30 2017 +0000
+++ b/web/functions_mail.inc    Sat Mar 11 11:40:09 2017 +0000
@@ -78,11 +78,7 @@
   // I have made the separator a ',' as a '-' leads to an ambiguous
   // display in report.php when showing end times.
   
-  // As HTML entities and tags are allowed in period names, we need to 
replace/strip
-  // them out before putting them in emails, which are sent as plain text
   $mailperiod = $periods[$p_num];
-  $mailperiod = mrbs_entity_decode($mailperiod, ENT_COMPAT, 
get_mail_charset());
-  $mailperiod = strip_tags($mailperiod);
   return array($p_num, $mailperiod . utf8_strftime(", " . 
$strftime_format['date'], $t, get_mail_locale()));
 }
 
@@ -316,7 +312,8 @@
   foreach ($dates as $date)
   {
     $result .= ($as_html) ? "<li>" : "";
-    $result .= getMailDateString($date);
+    $date_string = getMailDateString($date);
+    $result .= ($as_html) ? htmlspecialchars($date_string) : $date_string;
     $result .= ($as_html) ? "</li>" : "\n";
   }
   $result .= ($as_html) ? "</ul>\n" : "";
diff -r 4667e94f6722 -r fef4827b4456 web/functions_table.inc
--- a/web/functions_table.inc   Sat Mar 11 11:00:30 2017 +0000
+++ b/web/functions_table.inc   Sat Mar 11 11:40:09 2017 +0000
@@ -567,7 +567,7 @@
     
     $html .= "<a href=\"$url\"  title=\""
              . get_vocab("highlight_line") . "\">"
-             . period_name($s) . "</a>\n";
+             . htmlspecialchars(period_name($s)) . "</a>\n";
   }
   else
   {
@@ -800,7 +800,7 @@
       $header_inner .= "<span>";
       if ( $enable_periods )
       {
-        $header_inner .= period_name($s);
+        $header_inner .= htmlspecialchars(period_name($s));
       }
       else
       {
@@ -1070,7 +1070,7 @@
       $header_inner .= "<span>";
       if ( $enable_periods )
       {
-        $header_inner .= period_name($s);
+        $header_inner .= htmlspecialchars(period_name($s));
       }
       else
       {
diff -r 4667e94f6722 -r fef4827b4456 web/js/functions.js.php
--- a/web/js/functions.js.php   Sat Mar 11 11:00:30 2017 +0000
+++ b/web/js/functions.js.php   Sat Mar 11 11:40:09 2017 +0000
@@ -17,18 +17,26 @@
 
 function getErrorList(errors)
 {
-  var result = {html: '', text: ''};
-  var patternSpan = /<span[\s\S]*span>/gi;
-  var patternTags = /<\S[^><]*>/g;
+  var result = {html: '', text: ''},
+      patternSpan = /<span[\s\S]*span>/gi,
+      patternTags = /<\S[^><]*>/g,
+      str;
+      
   result.html += "<ul>";
+  
   for (var i=0; i<errors.length; i++)
   {
     result.html += "<li>" + errors[i] + "<\/li>";
     result.text += '(' + (i+1).toString() + ') ';
     <?php // strip out the <span> and its contents and then all other tags ?>
-    result.text += errors[i].replace(patternSpan, '').replace(patternTags, '') 
+ "  \n";
+    str = errors[i].replace(patternSpan, '').replace(patternTags, '');
+    <?php // undo the htmlspecialchars() ?>
+    result.text += $('<div>').html(str).text();
+    result.text += "  \n";
   }
+  
   result.html += "<\/ul>";
+  
   return result;
 }
 
diff -r 4667e94f6722 -r fef4827b4456 web/month.php
--- a/web/month.php     Sat Mar 11 11:00:30 2017 +0000
+++ b/web/month.php     Sat Mar 11 11:40:09 2017 +0000
@@ -42,8 +42,8 @@
   
   if ($enable_periods)
   {
-    $start_str = period_time_string($start);
-    $end_str   = period_time_string($end, -1);
+    $start_str = htmlspecialchars(period_time_string($start));
+    $end_str   = htmlspecialchars(period_time_string($end, -1));
   }
   else
   {
diff -r 4667e94f6722 -r fef4827b4456 web/mrbs_sql.inc
--- a/web/mrbs_sql.inc  Sat Mar 11 11:00:30 2017 +0000
+++ b/web/mrbs_sql.inc  Sat Mar 11 11:40:09 2017 +0000
@@ -71,7 +71,7 @@
     {
       $p_num =$starts['minutes'];
       $startstr = utf8_strftime($strftime_format['date'] . ", ",
-                                $row['start_time']) . $periods[$p_num];
+                                $row['start_time']) . 
htmlspecialchars($periods[$p_num]);
     }
     else
     {
diff -r 4667e94f6722 -r fef4827b4456 web/pending.php
--- a/web/pending.php   Sat Mar 11 11:00:30 2017 +0000
+++ b/web/pending.php   Sat Mar 11 11:40:09 2017 +0000
@@ -181,7 +181,7 @@
   {
     list(,$link_str) = period_date_string($row['start_time']);
   }
-  echo "$link_str</a></td>";
+  echo htmlspecialchars($link_str) . "</a></td>";
     
   // action buttons
   echo "<td>\n";
diff -r 4667e94f6722 -r fef4827b4456 web/search.php
--- a/web/search.php    Sat Mar 11 11:00:30 2017 +0000
+++ b/web/search.php    Sat Mar 11 11:40:09 2017 +0000
@@ -84,7 +84,7 @@
   {
     list(,$link_str) = period_date_string($row['start_time']);
   }
-  $link .= "$link_str</a>";
+  $link .= htmlspecialchars($link_str) ."</a>";
   //    add a span with the numeric start time in the title for sorting
   $values[] = "<span title=\"" . $row['start_time'] . "\"></span>" . $link;
   // description
diff -r 4667e94f6722 -r fef4827b4456 web/systemdefaults.inc.php
--- a/web/systemdefaults.inc.php        Sat Mar 11 11:00:30 2017 +0000
+++ b/web/systemdefaults.inc.php        Sat Mar 11 11:40:09 2017 +0000
@@ -201,7 +201,8 @@
 // PERIODS SETTINGS
 // ----------------
 
-// The "Periods" settings are ignored if $enable_periods is false.
+// The "Periods" settings are used only in areas where the mode has
+// been set to "Periods".
 
 // Define the name or description for your periods in chronological order
 // For example:
@@ -212,11 +213,8 @@
 // $periods[] = "09:15 - 09:50"
 // $periods[] = "09:55 - 10:35"
 // ...
-//
-// NOTE:  MRBS assumes that the descriptions are valid HTML and can be output
-// directly without any encoding.    Please ensure that any special characters
-// are encoded, eg '&' to '&amp;', '>' to '&gt;', lower case e acute to 
-// '&eacute;' or '&#233;', etc.
+
+// Period names are encoded in UTF-8
 
 // NOTE:  The maximum number of periods is 60.   Do not define more than this.
 unset($periods);    // Include this line when copying to config.inc.php

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

[Mrbs-commits] SF.net Hg: hg-code [fef4827b4456]: Changed the way that period n...

Reply via email to