mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-04 17:21:39 +09:00
Use escape more consistently
여기저기 htmlspecialchars가 들어 있는 것을 escape로 통일
This commit is contained in:
Kijin Sung
parent
d63da57045
commit
c54fa8dab1
14 changed files with 44 additions and 45 deletions
|
|
@ -794,7 +794,7 @@ class Context
|
|||
return '';
|
||||
}
|
||||
getController('module')->replaceDefinedLangCode(self::$_instance->browser_title);
|
||||
return htmlspecialchars(self::$_instance->browser_title, ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE);
|
||||
return htmlspecialchars(self::$_instance->browser_title, ENT_QUOTES, 'UTF-8', FALSE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -1733,7 +1733,7 @@ class Context
|
|||
|
||||
if(!$autoEncode)
|
||||
{
|
||||
return htmlspecialchars($query, ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE);
|
||||
return htmlspecialchars($query, ENT_QUOTES, 'UTF-8', FALSE);
|
||||
}
|
||||
|
||||
$output = array();
|
||||
|
|
@ -1749,7 +1749,7 @@ class Context
|
|||
$encode_queries[] = $key . '=' . $value;
|
||||
}
|
||||
|
||||
return htmlspecialchars($parsedUrl['path'] . '?' . join('&', $encode_queries), ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE);
|
||||
return htmlspecialchars($parsedUrl['path'] . '?' . join('&', $encode_queries), ENT_QUOTES, 'UTF-8', FALSE);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -209,7 +209,7 @@ class ExtraItem
|
|||
{
|
||||
$value = 'http://' . $value;
|
||||
}
|
||||
return htmlspecialchars($value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($value, false);
|
||||
|
||||
case 'tel' :
|
||||
if(is_array($value))
|
||||
|
|
@ -232,7 +232,7 @@ class ExtraItem
|
|||
$values = array_values($values);
|
||||
for($i = 0, $c = count($values); $i < $c; $i++)
|
||||
{
|
||||
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
|
||||
$values[$i] = trim(escape($values[$i], false));
|
||||
}
|
||||
return $values;
|
||||
|
||||
|
|
@ -259,7 +259,7 @@ class ExtraItem
|
|||
$values = array_values($values);
|
||||
for($i = 0, $c = count($values); $i < $c; $i++)
|
||||
{
|
||||
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
|
||||
$values[$i] = trim(escape($values[$i], false));
|
||||
}
|
||||
return $values;
|
||||
|
||||
|
|
@ -280,7 +280,7 @@ class ExtraItem
|
|||
$values = array_values($values);
|
||||
for($i = 0, $c = count($values); $i < $c; $i++)
|
||||
{
|
||||
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
|
||||
$values[$i] = trim(escape($values[$i], false));
|
||||
}
|
||||
return $values;
|
||||
|
||||
|
|
@ -290,7 +290,7 @@ class ExtraItem
|
|||
//case 'textarea' :
|
||||
//case 'password' :
|
||||
default :
|
||||
return htmlspecialchars($value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
return escape($value, false);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -404,7 +404,7 @@ class ExtraItem
|
|||
// Temporary ID for labeling
|
||||
$tmp_id = $column_name . '-' . $id_num++;
|
||||
|
||||
$buff[] =' <li><input type="checkbox" name="' . $column_name . '[]" id="' . $tmp_id . '" value="' . htmlspecialchars($v, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . '" ' . $checked . ' /><label for="' . $tmp_id . '">' . $v . '</label></li>';
|
||||
$buff[] =' <li><input type="checkbox" name="' . $column_name . '[]" id="' . $tmp_id . '" value="' . escape($v, false) . '" ' . $checked . ' /><label for="' . $tmp_id . '">' . $v . '</label></li>';
|
||||
}
|
||||
$buff[] = '</ul>';
|
||||
break;
|
||||
|
|
@ -485,7 +485,7 @@ class ExtraItem
|
|||
{
|
||||
$oModuleController = getController('module');
|
||||
$oModuleController->replaceDefinedLangCode($this->desc);
|
||||
$buff[] = '<p>' . htmlspecialchars($this->desc, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . '</p>';
|
||||
$buff[] = '<p>' . escape($this->desc, false) . '</p>';
|
||||
}
|
||||
|
||||
return join(PHP_EOL, $buff);
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ class Security
|
|||
{
|
||||
if(strncmp('$user_lang->', $var, 12) !== 0)
|
||||
{
|
||||
$var = htmlspecialchars($var, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$var = escape($var, false);
|
||||
}
|
||||
|
||||
return $var;
|
||||
|
|
|
|||
|
|
@ -327,7 +327,7 @@ class TemplateHandler
|
|||
{
|
||||
preg_match('/<input[^>]*name="error_return_url"[^>]*>/is', $matches[2], $m3);
|
||||
if(!$m3[0])
|
||||
$matches[2] = '<input type="hidden" name="error_return_url" value="<?php echo htmlspecialchars(getRequestUriByServerEnviroment(), ENT_COMPAT | ENT_HTML401, \'UTF-8\', false) ?>" />' . $matches[2];
|
||||
$matches[2] = '<input type="hidden" name="error_return_url" value="<?php echo escape(getRequestUriByServerEnviroment(), false); ?>" />' . $matches[2];
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
|
|
@ -51,8 +51,8 @@
|
|||
<td>
|
||||
<a href="{getUrl('act', 'dispAddonAdminSetup', 'selected_addon', $addon->addon_name)}">{$lang->cmd_setup}</a>
|
||||
</td>
|
||||
<td><input type="checkbox" name="pc_on[]" title="PC" value="{htmlspecialchars($addon->addon_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" checked="checked"|cond="$addon->activated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
|
||||
<td><input type="checkbox" name="mobile_on[]" title="Mobile" value="{htmlspecialchars($addon->addon_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" checked="checked"|cond="$addon->mactivated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
|
||||
<td><input type="checkbox" name="pc_on[]" title="PC" value="{escape($addon->addon_name, false)}" checked="checked"|cond="$addon->activated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
|
||||
<td><input type="checkbox" name="mobile_on[]" title="Mobile" value="{escape($addon->addon_name, false)}" checked="checked"|cond="$addon->mactivated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
|
||||
<td><a cond="$addon->remove_url" href="{$addon->remove_url}&return_url={urlencode(getRequestUriByServerEnviroment())}">{$lang->cmd_delete}</a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
|
|||
|
|
@ -55,8 +55,8 @@
|
|||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label>
|
||||
<div class="x_controls">
|
||||
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}">
|
||||
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" class="lang_code" rows="8" cols="42">{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}</textarea>
|
||||
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{escape($var->value)}">
|
||||
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" class="lang_code" rows="8" cols="42">{escape($var->value)}</textarea>
|
||||
<select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}">
|
||||
<option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option>
|
||||
</select>
|
||||
|
|
|
|||
|
|
@ -1,10 +1,12 @@
|
|||
<config autoescape="on" />
|
||||
|
||||
</div>
|
||||
<!-- /BODY -->
|
||||
<footer class="footer" cond="$this->user->isAdmin()">
|
||||
<p class="power">
|
||||
Powered by <strong>Rhymix {__XE_VERSION__}</strong>
|
||||
Powered by <strong>Rhymix {\RX_VERSION}</strong>
|
||||
<!--@if(isset($released_version))-->
|
||||
<span class="vr">|</span> Latest version: <a href="{htmlspecialchars(html_entity_decode($download_link), ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" target="_blank">{$released_version}</a>
|
||||
<span class="vr">|</span> Latest version: <a href="{$download_link}" target="_blank">{$released_version}</a>
|
||||
<!--@end-->
|
||||
</p>
|
||||
<p class="cache">
|
||||
|
|
@ -18,4 +20,3 @@
|
|||
</footer>
|
||||
</div>
|
||||
<load target="./js/config.js" />
|
||||
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ class communicationController extends communication
|
|||
throw new Rhymix\Framework\Exception('msg_not_exists_member');
|
||||
}
|
||||
|
||||
$title = trim(Context::get('title'));
|
||||
$title = trim(escape(Context::get('title')));
|
||||
if(!$title)
|
||||
{
|
||||
throw new Rhymix\Framework\Exception('msg_title_is_null');
|
||||
|
|
@ -174,7 +174,7 @@ class communicationController extends communication
|
|||
function sendMessage($sender_srl, $receiver_srl, $title, $content, $sender_log = TRUE)
|
||||
{
|
||||
// Encode the title and content.
|
||||
$title = htmlspecialchars($title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$title = escape($title, false);
|
||||
$content = removeHackTag($content);
|
||||
$title = utf8_mbencode($title);
|
||||
$content = utf8_mbencode($content);
|
||||
|
|
@ -659,8 +659,7 @@ class communicationController extends communication
|
|||
$args = new stdClass();
|
||||
$args->friend_group_srl = trim(Context::get('friend_group_srl'));
|
||||
$args->member_srl = $logged_info->member_srl;
|
||||
$args->title = Context::get('title');
|
||||
$args->title = htmlspecialchars($args->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->title = escape(Context::get('title'));
|
||||
|
||||
if(!$args->title)
|
||||
{
|
||||
|
|
@ -735,8 +734,7 @@ class communicationController extends communication
|
|||
$args = new stdClass();
|
||||
$args->friend_group_srl = Context::get('friend_group_srl');
|
||||
$args->member_srl = $logged_info->member_srl;
|
||||
$args->title = Context::get('title');
|
||||
$args->title = htmlspecialchars($args->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->title = escape(Context::get('title'));
|
||||
|
||||
if(!$args->title)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ var auto_saved_msg = "{$lang->msg_auto_saved}";
|
|||
<!--@endif-->
|
||||
|
||||
<!--@if($enable_autosave)-->
|
||||
<input type="hidden" name="_saved_doc_title" value="{htmlspecialchars($saved_doc->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" />
|
||||
<input type="hidden" name="_saved_doc_content" value="{htmlspecialchars($saved_doc->content, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" />
|
||||
<input type="hidden" name="_saved_doc_title" value="{escape($saved_doc->title)}" />
|
||||
<input type="hidden" name="_saved_doc_content" value="{escape($saved_doc->content)}" />
|
||||
<input type="hidden" name="_saved_doc_document_srl" value="{$saved_doc->document_srl}" />
|
||||
<input type="hidden" name="_saved_doc_message" value="{$lang->msg_load_saved_doc}" />
|
||||
<!--@end-->
|
||||
|
|
|
|||
|
|
@ -43,8 +43,8 @@
|
|||
<div class="x_control-group">
|
||||
<label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label>
|
||||
<div class="x_controls">
|
||||
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}">
|
||||
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" rows="8" cols="42">{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}</textarea>
|
||||
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{escape($var->value, false)}">
|
||||
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" rows="8" cols="42">{escape($var->value, false)}</textarea>
|
||||
<select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}">
|
||||
<option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option>
|
||||
</select>
|
||||
|
|
|
|||
|
|
@ -2417,11 +2417,11 @@ class memberController extends member
|
|||
list($args->email_id, $args->email_host) = explode('@', $args->email_address);
|
||||
|
||||
// Sanitize user ID, username, nickname, homepage, blog
|
||||
$args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->user_id = escape($args->user_id, false);
|
||||
$args->user_name = escape($args->user_name, false);
|
||||
$args->nick_name = escape($args->nick_name, false);
|
||||
$args->homepage = escape($args->homepage, false);
|
||||
$args->blog = escape($args->blog, false);
|
||||
if($args->homepage && !preg_match("/^[a-z]+:\/\//i",$args->homepage)) $args->homepage = 'http://'.$args->homepage;
|
||||
if($args->blog && !preg_match("/^[a-z]+:\/\//i",$args->blog)) $args->blog = 'http://'.$args->blog;
|
||||
|
||||
|
|
@ -2650,11 +2650,11 @@ class memberController extends member
|
|||
}
|
||||
|
||||
// Sanitize user ID, username, nickname, homepage, blog
|
||||
if($args->user_id) $args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
if($args->user_id) $args->user_id = escape($args->user_id, false);
|
||||
$args->user_name = escape($args->user_name, false);
|
||||
$args->nick_name = escape($args->nick_name, false);
|
||||
$args->homepage = escape($args->homepage, false);
|
||||
$args->blog = escape($args->blog, false);
|
||||
if($args->homepage && !preg_match("/^[a-z]+:\/\//is",$args->homepage)) $args->homepage = 'http://'.$args->homepage;
|
||||
if($args->blog && !preg_match("/^[a-z]+:\/\//is",$args->blog)) $args->blog = 'http://'.$args->blog;
|
||||
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ class memberModel extends member
|
|||
$oCommunicationModel = getModel('communication');
|
||||
if($logged_info->is_admin == 'Y' || $oCommunicationModel->isFriend($member_info->member_srl))
|
||||
{
|
||||
$url = 'mailto:'.htmlspecialchars($member_info->email_address, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
|
||||
$url = 'mailto:'.escape($member_info->email_address);
|
||||
$oMemberController->addMemberPopupMenu($url,'cmd_send_email',$icon_path);
|
||||
}
|
||||
}
|
||||
|
|
@ -210,13 +210,13 @@ class memberModel extends member
|
|||
// View homepage info
|
||||
if($member_info->homepage && $homepage_is_public)
|
||||
{
|
||||
$oMemberController->addMemberPopupMenu(htmlspecialchars($member_info->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), 'homepage', '', 'blank');
|
||||
$oMemberController->addMemberPopupMenu(escape($member_info->homepage, false), 'homepage', '', 'blank');
|
||||
}
|
||||
|
||||
// View blog info
|
||||
if($member_info->blog && $blog_is_public)
|
||||
{
|
||||
$oMemberController->addMemberPopupMenu(htmlspecialchars($member_info->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), 'blog', '', 'blank');
|
||||
$oMemberController->addMemberPopupMenu(escape($member_info->blog, false), 'blog', '', 'blank');
|
||||
}
|
||||
|
||||
// Call a trigger (after)
|
||||
|
|
|
|||
|
|
@ -1056,7 +1056,7 @@ class moduleController extends module
|
|||
}
|
||||
}
|
||||
|
||||
$output = preg_replace_callback('!\$user_lang->([a-z0-9\_]+)!is', function($matches) use($lang) {
|
||||
$output = preg_replace_callback('/(?<!value=")\$user_lang-(?:>|>)([a-z0-9\_]+)/is', function($matches) use($lang) {
|
||||
if(isset($lang[$matches[1]]) && !Context::get($matches[1]))
|
||||
{
|
||||
return $lang[$matches[1]];
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
<option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option>
|
||||
</select>
|
||||
<span class="x_input-append">
|
||||
<input type="search" required name="search_keyword" required value="{htmlspecialchars($search_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" style="width:100px" />
|
||||
<input type="search" required name="search_keyword" required value="{escape($search_keyword, false)}" title="{$lang->cmd_search}" style="width:100px" />
|
||||
<button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button>
|
||||
<a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a>
|
||||
</span>
|
||||
|
|
@ -129,7 +129,7 @@
|
|||
<option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option>
|
||||
</select>
|
||||
<span class="x_input-append">
|
||||
<input type="search" name="search_keyword" required value="{htmlspecialchars($search_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" style="width:100px" />
|
||||
<input type="search" name="search_keyword" required value="{escape($search_keyword, false)}" title="{$lang->cmd_search}" style="width:100px" />
|
||||
<button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button>
|
||||
<a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a>
|
||||
</span>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue