diff --git a/modules/autoinstall/autoinstall.admin.view.php b/modules/autoinstall/autoinstall.admin.view.php index 6869437f2..856fb13aa 100644 --- a/modules/autoinstall/autoinstall.admin.view.php +++ b/modules/autoinstall/autoinstall.admin.view.php @@ -488,6 +488,7 @@ class autoinstallAdminView extends autoinstall $security = new Security(); $security->encodeHTML('package.', 'package.depends..', 'item_list..'); + $security->encodeHTML('search_target', 'search_keyword'); } /** diff --git a/modules/comment/comment.admin.view.php b/modules/comment/comment.admin.view.php index 057eb978e..ebda37cd9 100644 --- a/modules/comment/comment.admin.view.php +++ b/modules/comment/comment.admin.view.php @@ -116,6 +116,9 @@ class commentAdminView extends comment } Context::set('member_nick_name', $member_nick_neme); + $security = new Security(); + $security->encodeHTML('search_target', 'search_keyword'); + // set the template $this->setTemplatePath($this->module_path . 'tpl'); $this->setTemplateFile('comment_list'); diff --git a/modules/document/document.admin.view.php b/modules/document/document.admin.view.php index 4bbcaa114..1c5ea201d 100644 --- a/modules/document/document.admin.view.php +++ b/modules/document/document.admin.view.php @@ -121,6 +121,9 @@ class documentAdminView extends document } Context::set('member_nick_name', $member_nick_neme); + $security = new Security(); + $security->encodeHTML('search_target', 'search_keyword'); + // Specify a template $this->setTemplatePath($this->module_path.'tpl'); $this->setTemplateFile('document_list'); diff --git a/modules/file/file.admin.view.php b/modules/file/file.admin.view.php index d04516664..ab1cb5e75 100644 --- a/modules/file/file.admin.view.php +++ b/modules/file/file.admin.view.php @@ -202,6 +202,7 @@ class fileAdminView extends file $security = new Security(); $security->encodeHTML('file_list..'); $security->encodeHTML('module_list..'); + $security->encodeHTML('search_target', 'search_keyword'); $this->setTemplatePath($this->module_path.'tpl'); $this->setTemplateFile('file_list'); diff --git a/modules/member/member.admin.view.php b/modules/member/member.admin.view.php index 336bcda02..b57be7f3a 100644 --- a/modules/member/member.admin.view.php +++ b/modules/member/member.admin.view.php @@ -118,6 +118,7 @@ class memberAdminView extends member $security = new Security(); $security->encodeHTML('member_list..user_name', 'member_list..nick_name', 'member_list..group_list..'); + $security->encodeHTML('search_target', 'search_keyword'); $this->setTemplateFile('member_list'); } diff --git a/modules/menu/menu.admin.controller.php b/modules/menu/menu.admin.controller.php index fdb4a0351..2f5fe7806 100644 --- a/modules/menu/menu.admin.controller.php +++ b/modules/menu/menu.admin.controller.php @@ -1975,20 +1975,23 @@ class menuAdminController extends menu // Get data from child nodes if exist. if($menu_item_srl&&$tree[$menu_item_srl]) $child_output = $this->getPhpCacheCode($tree[$menu_item_srl], $tree, $site_srl, $domain); else $child_output = array("buff"=>"", "url_list"=>array()); + // List variables $names = $oMenuAdminModel->getMenuItemNames($node->name, $site_srl); unset($name_arr_str); foreach($names as $key => $val) { - $name_arr_str .= sprintf('"%s"=>"%s",',$key, str_replace(array('\\','"'),array('\\\\','"'),$val)); + $name_arr_str .= sprintf('"%s"=>\'%s\',', $key, str_replace(array('\\','\''), array('\\\\','\\\''), strip_tags($val))); } $name_str = sprintf('$_menu_names[%d] = array(%s); %s', $node->menu_item_srl, $name_arr_str, $child_output['name']); + // If url value is not empty in the current node, put the value into an array url_list if($node->url) $child_output['url_list'][] = $node->url; $output['url_list'] = array_merge($output['url_list'], $child_output['url_list']); // If node->group_srls value exists if($node->group_srls)$group_check_code = sprintf('($is_admin==true||(is_array($group_srls)&&count(array_intersect($group_srls, array(%s))))||($is_logged && %s))',$node->group_srls,$node->group_srls == -1?1:0); else $group_check_code = "true"; + // List variables $href = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->href); $url = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->url); @@ -2042,10 +2045,10 @@ class menuAdminController extends menu } // Create properties (check if it belongs to the menu node by url_list. It looks a trick but fast and powerful) $attribute = sprintf( - '"node_srl"=>"%s","parent_srl"=>"%s","menu_name_key"=>\'%s\',"isShow"=>(%s?true:false),"text"=>(%s?$_menu_names[%d][$lang_type]:""),"href"=>(%s?%s:""),"url"=>(%s?"%s":""),"is_shortcut"=>"%s","desc"=>\'%s\',"open_window"=>"%s","normal_btn"=>"%s","hover_btn"=>"%s","active_btn"=>"%s","selected"=>(array(%s)&&in_array(Context::get("mid"),array(%s))?1:0),"expand"=>"%s", "list"=>array(%s), "link"=>(%s? ( array(%s)&&in_array(Context::get("mid"),array(%s)) ?%s:%s):""),', + '"node_srl" => %d, "parent_srl" => %d, "menu_name_key" => \'%s\', "isShow" => (%s ? true : false), "text" => (%s ? $_menu_names[%d][$lang_type] : ""), "href" => (%s ? %s : ""), "url" => (%s ? "%s" : ""), "is_shortcut" => "%s", "desc" => \'%s\', "open_window" => "%s", "normal_btn" => "%s", "hover_btn" => "%s", "active_btn" => "%s", "selected" => (array(%s) && in_array(Context::get("mid"), array(%s)) ? 1 : 0), "expand" => \'%s\', "list" => array(%s), "link" => (%s ? (array(%s) && in_array(Context::get("mid"), array(%s)) ? %s : %s) : ""),', $node->menu_item_srl, $node->parent_srl, - addslashes($node->name), + strip_tags(addslashes($node->name)), $group_check_code, $group_check_code, $node->menu_item_srl, diff --git a/modules/point/point.admin.view.php b/modules/point/point.admin.view.php index b401c6756..5822131c0 100644 --- a/modules/point/point.admin.view.php +++ b/modules/point/point.admin.view.php @@ -114,9 +114,10 @@ class pointAdminView extends point $this->group_list = $oMemberModel->getGroups(); Context::set('group_list', $this->group_list); //Security - $security = new Security(); + $security = new Security(); $security->encodeHTML('group_list..title','group_list..description'); $security->encodeHTML('member_list..'); + $security->encodeHTML('search_target', 'search_keyword'); // Set the template $this->setTemplateFile('member_list'); diff --git a/modules/poll/poll.admin.view.php b/modules/poll/poll.admin.view.php index d43820c7b..3d8a7650b 100644 --- a/modules/poll/poll.admin.view.php +++ b/modules/poll/poll.admin.view.php @@ -92,6 +92,8 @@ class pollAdminView extends poll $security = new Security(); $security->encodeHTML('poll_list..title', 'poll_list..nick_name'); + $security->encodeHTML('search_target', 'search_keyword'); + // Set a template $this->setTemplatePath($this->module_path.'tpl'); $this->setTemplateFile('poll_list');