AIRAVATA-1902 Escaping project id, name, etc.
Project: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/commit/ebaad45b Tree: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/tree/ebaad45b Diff: http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/diff/ebaad45b Branch: refs/heads/dreg-gateway Commit: ebaad45b4f6f04944db115ecc5cf3450a9120490 Parents: 3ae5f31 Author: Marcus Christie <machr...@iu.edu> Authored: Tue Aug 1 11:26:49 2017 -0400 Committer: Marcus Christie <machr...@iu.edu> Committed: Tue Aug 1 11:27:10 2017 -0400 ---------------------------------------------------------------------- app/controllers/ProjectController.php | 6 +++--- app/libraries/ProjectUtilities.php | 8 +++---- app/views/experiment/create-complete.blade.php | 2 +- app/views/project/browse.blade.php | 4 ++-- app/views/project/edit.blade.php | 10 ++++----- app/views/project/no-sharing-edit.blade.php | 6 +++--- app/views/project/no-sharing-summary.blade.php | 24 ++++++++++----------- app/views/project/summary.blade.php | 22 +++++++++---------- 8 files changed, 41 insertions(+), 41 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/controllers/ProjectController.php ---------------------------------------------------------------------- diff --git a/app/controllers/ProjectController.php b/app/controllers/ProjectController.php index ea6efd3..f89f6eb 100755 --- a/app/controllers/ProjectController.php +++ b/app/controllers/ProjectController.php @@ -37,7 +37,7 @@ class ProjectController extends BaseController { if (isset($_POST['save'])) { $projectId = ProjectUtilities::create_project(); - return Redirect::to('project/summary?projId=' . $projectId); + return Redirect::to('project/summary?projId=' . urlencode($projectId)); } else { return Redirect::to('project/create'); } @@ -125,7 +125,7 @@ class ProjectController extends BaseController return $this->createEditView(Input::get("projectId"), $projectDetails, null)->with("errorMessage", "Failed to update project: " . $ex->getMessage()); } } - return Redirect::to("project/summary?projId=" . Input::get("projectId"))->with("project_edited", true); + return Redirect::to("project/summary?projId=" . urlencode(Input::get("projectId")))->with("project_edited", true); } /** @@ -164,7 +164,7 @@ class ProjectController extends BaseController "canEditSharing" => $canEditSharing )); }else { - return Redirect::to('project/summary?projId=' . $projectId)->with("error", "You do not have permission to edit this project."); + return Redirect::to('project/summary?projId=' . urlencode($projectId))->with("error", "You do not have permission to edit this project."); } } else { return View::make("project/no-sharing-edit", http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/libraries/ProjectUtilities.php ---------------------------------------------------------------------- diff --git a/app/libraries/ProjectUtilities.php b/app/libraries/ProjectUtilities.php index 3367d16..b80d24d 100755 --- a/app/libraries/ProjectUtilities.php +++ b/app/libraries/ProjectUtilities.php @@ -122,7 +122,7 @@ class ProjectUtilities $selected = ''; } - echo '<option value="' . $project->projectID . '" ' . $selected . '>' . $project->optionLabel . '</option>'; + echo '<option value="' . htmlspecialchars($project->projectID) . '" ' . $selected . '>' . htmlspecialchars($project->optionLabel) . '</option>'; } } echo '</select>'; @@ -144,11 +144,11 @@ class ProjectUtilities $projectId = Airavata::createProject(Session::get('authz-token'), Config::get('pga_config.airavata')['gateway-id'], $project); if ($projectId) { - CommonUtilities::print_success_message("<p>Project {$_POST['project-name']} created!</p>" . + CommonUtilities::print_success_message("<p>Project " . htmlspecialchars($_POST['project-name']) . " created!</p>" . '<p>You will be redirected to the summary page shortly, or you can - <a href="project/summary?projId=' . $projectId . '">go directly</a> to the project summary page.</p>'); + <a href="project/summary?projId=' . urlencode($projectId) . '">go directly</a> to the project summary page.</p>'); } else { - CommonUtilities::print_error_message("Error creating project {$_POST['project-name']}!"); + CommonUtilities::print_error_message("Error creating project ". htmlspecialchars($_POST['project-name']) . "!"); } } catch (InvalidRequestException $ire) { CommonUtilities::print_error_message('InvalidRequestException!<br><br>' . $ire->getMessage()); http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/experiment/create-complete.blade.php ---------------------------------------------------------------------- diff --git a/app/views/experiment/create-complete.blade.php b/app/views/experiment/create-complete.blade.php index 0ac6bd6..b8d48b6 100755 --- a/app/views/experiment/create-complete.blade.php +++ b/app/views/experiment/create-complete.blade.php @@ -48,7 +48,7 @@ var users = {{ $users }}; var owner = {{ $owner }}; var projectOwner = {{ $projectOwner }}; - $('#entity-share').data({url: "{{URL::to('/')}}/project/unshared-users", resourceId: "{{$expInputs['project']}}"}) + $('#entity-share').data({url: "{{URL::to('/')}}/project/unshared-users", resourceId: {{json_encode($expInputs['project'])}}}) </script> {{ HTML::script('js/sharing/sharing_utils.js') }} {{ HTML::script('js/sharing/share.js') }} http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/project/browse.blade.php ---------------------------------------------------------------------- diff --git a/app/views/project/browse.blade.php b/app/views/project/browse.blade.php index a7e322e..5383fb7 100755 --- a/app/views/project/browse.blade.php +++ b/app/views/project/browse.blade.php @@ -106,7 +106,7 @@ ?> <tr> <td> - {{$project->name}} + {{{$project->name}}} @if($can_write[$project->projectID]) <a href="{{URL::to('/')}}/project/edit?projId={{urlencode($project->projectID)}}" title="Edit"> <span class="glyphicon glyphicon-pencil"></span> @@ -114,7 +114,7 @@ @endif </td> <td> - {{$project->owner}} + {{{$project->owner}}} </td> <td class="time" unix-time=" <?php echo $project->creationTime / 1000 ?>"> http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/project/edit.blade.php ---------------------------------------------------------------------- diff --git a/app/views/project/edit.blade.php b/app/views/project/edit.blade.php index 8f38848..2ed473f 100755 --- a/app/views/project/edit.blade.php +++ b/app/views/project/edit.blade.php @@ -33,15 +33,15 @@ class="form-control" name="project-name" id="project-name" - value="{{ $project->name }}" required maxlength="50"> + value="{{{ $project->name }}}" required maxlength="50"> </div> <div class="form-group"> <label for="project-description">Project Description</label> <textarea class="form-control" name="project-description" - id="project-description" maxlength="200">{{ $project->description }}</textarea> - <input type="hidden" name="projectId" value="{{ $projectId }}"/> - <input type="hidden" name="projectOwner" value="{{ $project->owner}}"/> + id="project-description" maxlength="200">{{{ $project->description }}}</textarea> + <input type="hidden" name="projectId" value="{{{ $projectId }}}"/> + <input type="hidden" name="projectOwner" value="{{{ $project->owner }}}"/> </div> <div class="form-group"> @@ -69,7 +69,7 @@ <script> var users = {{ $users }}; var owner = {{ $owner }}; - $('#entity-share').data({url: "{{ URL::to('/') }}/project/unshared-users", resourceId: "{{ $projectId }}"}) + $('#entity-share').data({url: "{{ URL::to('/') }}/project/unshared-users", resourceId: {{ json_encode($projectId) }}}) </script> {{ HTML::script('js/sharing/sharing_utils.js') }} {{ HTML::script('js/sharing/share.js') }} http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/project/no-sharing-edit.blade.php ---------------------------------------------------------------------- diff --git a/app/views/project/no-sharing-edit.blade.php b/app/views/project/no-sharing-edit.blade.php index c7da3f9..ac30a1e 100755 --- a/app/views/project/no-sharing-edit.blade.php +++ b/app/views/project/no-sharing-edit.blade.php @@ -27,14 +27,14 @@ class="form-control" name="project-name" id="project-name" - value="{{ $project->name }}" required maxlength="50"> + value="{{{ $project->name }}}" required maxlength="50"> </div> <div class="form-group"> <label for="project-description">Project Description</label> <textarea class="form-control" name="project-description" - id="project-description" maxlength="200">{{ $project->description }}</textarea> - <input type="hidden" name="projectId" value="{{ Input::get('projId') }}"/> + id="project-description" maxlength="200">{{{ $project->description }}}</textarea> + <input type="hidden" name="projectId" value="{{{ Input::get('projId') }}}"/> </div> <div class="btn-toolbar"> http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/project/no-sharing-summary.blade.php ---------------------------------------------------------------------- diff --git a/app/views/project/no-sharing-summary.blade.php b/app/views/project/no-sharing-summary.blade.php index 595ff43..534fc13 100755 --- a/app/views/project/no-sharing-summary.blade.php +++ b/app/views/project/no-sharing-summary.blade.php @@ -12,18 +12,18 @@ ?> <h1>Project Summary @if( !isset($dashboard)) - <small><a href="{{ URL::to('/') }}/project/summary?projId={{ $project->projectID }}" + <small><a href="{{ URL::to('/') }}/project/summary?projId={{ urlencode($project->projectID) }}" title="Refresh"><span class="glyphicon glyphicon-refresh refresh-exp"></span></a></small> @endif </h1> <div> <div> - <h3>{{ $project->name }} - <a href="edit?projId={{ $project->projectID }}" title="Edit"> + <h3>{{{ $project->name }}} + <a href="edit?projId={{ urlencode($project->projectID) }}" title="Edit"> <span class="glyphicon glyphicon-pencil"></span> </a> </h3> - <p>{{ $project->description }}</p> + <p>{{{ $project->description }}}</p> </div> <div class="table-responsive"> <table class="table"> @@ -62,27 +62,27 @@ </a> <a href="{{URL::to('/')}}/experiment/edit?expId={{urlencode($experiment->experimentId)}}" title="Edit"><span class="glyphicon glyphicon-pencil"></span></a> </td> - <td>{{ $experiment->userName }}</td> + <td>{{{ $experiment->userName }}}</td> <td> @if( $applicationInterface != null ) - {{ $applicationInterface->applicationName }} + {{{ $applicationInterface->applicationName }}} @else <span class='text-danger'>Removed</span> @endif </td> - <td>{{ $resourceName }}</td> - <td class="time" unix-time="{{$expValues["experimentTimeOfStateChange"]}}"></td> + <td>{{{ $resourceName }}}</td> + <td class="time" unix-time="{{{$expValues["experimentTimeOfStateChange"]}}}"></td> <td> - <div class="{{ExperimentUtilities::get_status_color_class( $expValues["experimentStatusString"])}}"> - {{ $expValues["experimentStatusString"] }} + <div class="{{{ExperimentUtilities::get_status_color_class( $expValues["experimentStatusString"])}}}"> + {{{ $expValues["experimentStatusString"] }}} </div> </td> <td> @if (isset($expValues["jobState"]) ) - <div class="{{ ExperimentUtilities::get_status_color_class( $expValues["jobState"]) }}"> - {{ $expValues["jobState"] }} + <div class="{{{ ExperimentUtilities::get_status_color_class( $expValues["jobState"]) }}}"> + {{{ $expValues["jobState"] }}} </div> @endif </td> http://git-wip-us.apache.org/repos/asf/airavata-php-gateway/blob/ebaad45b/app/views/project/summary.blade.php ---------------------------------------------------------------------- diff --git a/app/views/project/summary.blade.php b/app/views/project/summary.blade.php index 1e89102..71ad461 100755 --- a/app/views/project/summary.blade.php +++ b/app/views/project/summary.blade.php @@ -13,20 +13,20 @@ ?> <h1>Project Summary @if( !isset($dashboard)) - <small><a href="{{ URL::to('/') }}/project/summary?projId={{ $project->projectID }}" + <small><a href="{{ URL::to('/') }}/project/summary?projId={{ urlencode($project->projectID) }}" title="Refresh"><span class="glyphicon glyphicon-refresh refresh-exp"></span></a></small> @endif </h1> <div> <div> - <h3>{{ $project->name }} + <h3>{{{ $project->name }}} @if($project_can_write === true) - <a href="edit?projId={{ $project->projectID }}" title="Edit"> + <a href="edit?projId={{ urlencode($project->projectID) }}" title="Edit"> <span class="glyphicon glyphicon-pencil"></span> </a> @endif </h3> - <p>{{ $project->description }}</p> + <p>{{{ $project->description }}}</p> </div> <div class="table-responsive"> <table class="table"> @@ -67,27 +67,27 @@ <a href="{{URL::to('/')}}/experiment/edit?expId={{urlencode($experiment->experimentId)}}" title="Edit"><span class="glyphicon glyphicon-pencil"></span></a> @endif </td> - <td>{{ $experiment->userName }}</td> + <td>{{{ $experiment->userName }}}</td> <td> @if( $applicationInterface != null ) - {{ $applicationInterface->applicationName }} + {{{ $applicationInterface->applicationName }}} @else <span class='text-danger'>Removed</span> @endif </td> <td>{{ $resourceName }}</td> - <td class="time" unix-time="{{$expValues["experimentCreationTime"]}}"></td> + <td class="time" unix-time="{{{$expValues["experimentCreationTime"]}}}"></td> <td> - <div class="{{ExperimentUtilities::get_status_color_class( $expValues["experimentStatusString"])}}"> - {{ $expValues["experimentStatusString"] }} + <div class="{{{ExperimentUtilities::get_status_color_class( $expValues["experimentStatusString"])}}}"> + {{{ $expValues["experimentStatusString"] }}} </div> </td> <td> @if (isset($expValues["jobState"]) ) - <div class="{{ ExperimentUtilities::get_status_color_class( $expValues["jobState"]) }}"> - {{ $expValues["jobState"] }} + <div class="{{{ ExperimentUtilities::get_status_color_class( $expValues["jobState"]) }}}"> + {{{ $expValues["jobState"] }}} </div> @endif </td>