fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-10 20:44:28 +09:00
Code Issues Projects Releases Packages Wiki Activity

Use escape more consistently

Browse source 
여기저기 htmlspecialchars가 들어 있는 것을 escape로 통일
This commit is contained in:
Kijin Sung 2018-10-10 15:07:51 +09:00
parent d63da57045
commit c54fa8dab1
14 changed files with 44 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

6
classes/context/Context.class.php
View file

@ -794,7 +794,7 @@ class Context
return ''; return '';
} }
getController('module')->replaceDefinedLangCode(self::$_instance->browser_title); getController('module')->replaceDefinedLangCode(self::$_instance->browser_title);
return htmlspecialchars(self::$_instance->browser_title, ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE); return htmlspecialchars(self::$_instance->browser_title, ENT_QUOTES, 'UTF-8', FALSE);
} }
/** /**
@ -1733,7 +1733,7 @@ class Context
if(!$autoEncode) if(!$autoEncode)
{ {
return htmlspecialchars($query, ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE); return htmlspecialchars($query, ENT_QUOTES, 'UTF-8', FALSE);
} }
$output = array(); $output = array();
@ -1749,7 +1749,7 @@ class Context
$encode_queries[] = $key . '=' . $value; $encode_queries[] = $key . '=' . $value;
} }
return htmlspecialchars($parsedUrl['path'] . '?' . join('&', $encode_queries), ENT_COMPAT | ENT_HTML401, 'UTF-8', FALSE); return htmlspecialchars($parsedUrl['path'] . '?' . join('&', $encode_queries), ENT_QUOTES, 'UTF-8', FALSE);
} }
/** /**

14
classes/extravar/Extravar.class.php
View file

@ -209,7 +209,7 @@ class ExtraItem
{ {
$value = 'http://' . $value; $value = 'http://' . $value;
} }
return htmlspecialchars($value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); return escape($value, false);
case 'tel' : case 'tel' :
if(is_array($value)) if(is_array($value))
@ -232,7 +232,7 @@ class ExtraItem
$values = array_values($values); $values = array_values($values);
for($i = 0, $c = count($values); $i < $c; $i++) for($i = 0, $c = count($values); $i < $c; $i++)
{ {
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); $values[$i] = trim(escape($values[$i], false));
} }
return $values; return $values;
@ -259,7 +259,7 @@ class ExtraItem
$values = array_values($values); $values = array_values($values);
for($i = 0, $c = count($values); $i < $c; $i++) for($i = 0, $c = count($values); $i < $c; $i++)
{ {
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); $values[$i] = trim(escape($values[$i], false));
} }
return $values; return $values;
@ -280,7 +280,7 @@ class ExtraItem
$values = array_values($values); $values = array_values($values);
for($i = 0, $c = count($values); $i < $c; $i++) for($i = 0, $c = count($values); $i < $c; $i++)
{ {
$values[$i] = trim(htmlspecialchars($values[$i], ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); $values[$i] = trim(escape($values[$i], false));
} }
return $values; return $values;
@ -290,7 +290,7 @@ class ExtraItem
//case 'textarea' : //case 'textarea' :
//case 'password' : //case 'password' :
default : default :
return htmlspecialchars($value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); return escape($value, false);
} }
} }
@ -404,7 +404,7 @@ class ExtraItem
// Temporary ID for labeling // Temporary ID for labeling
$tmp_id = $column_name . '-' . $id_num++; $tmp_id = $column_name . '-' . $id_num++;
$buff[] =' <li><input type="checkbox" name="' . $column_name . '[]" id="' . $tmp_id . '" value="' . htmlspecialchars($v, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . '" ' . $checked . ' /><label for="' . $tmp_id . '">' . $v . '</label></li>'; $buff[] =' <li><input type="checkbox" name="' . $column_name . '[]" id="' . $tmp_id . '" value="' . escape($v, false) . '" ' . $checked . ' /><label for="' . $tmp_id . '">' . $v . '</label></li>';
} }
$buff[] = '</ul>'; $buff[] = '</ul>';
break; break;
@ -485,7 +485,7 @@ class ExtraItem
{ {
$oModuleController = getController('module'); $oModuleController = getController('module');
$oModuleController->replaceDefinedLangCode($this->desc); $oModuleController->replaceDefinedLangCode($this->desc);
$buff[] = '<p>' . htmlspecialchars($this->desc, ENT_COMPAT | ENT_HTML401, 'UTF-8', false) . '</p>'; $buff[] = '<p>' . escape($this->desc, false) . '</p>';
} }
return join(PHP_EOL, $buff); return join(PHP_EOL, $buff);

2
classes/security/Security.class.php
View file

@ -115,7 +115,7 @@ class Security
{ {
if(strncmp('$user_lang->', $var, 12) !== 0) if(strncmp('$user_lang->', $var, 12) !== 0)
{ {
$var = htmlspecialchars($var, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $var = escape($var, false);
} }
return $var; return $var;

2
classes/template/TemplateHandler.class.php
View file

@ -327,7 +327,7 @@ class TemplateHandler
{ {
preg_match('/<input[^>]*name="error_return_url"[^>]*>/is', $matches[2], $m3); preg_match('/<input[^>]*name="error_return_url"[^>]*>/is', $matches[2], $m3);
if(!$m3[0]) if(!$m3[0])
$matches[2] = '<input type="hidden" name="error_return_url" value="<?php echo htmlspecialchars(getRequestUriByServerEnviroment(), ENT_COMPAT | ENT_HTML401, \'UTF-8\', false) ?>" />' . $matches[2]; $matches[2] = '<input type="hidden" name="error_return_url" value="<?php echo escape(getRequestUriByServerEnviroment(), false); ?>" />' . $matches[2];
} }
else else
{ {

4
modules/addon/tpl/addon_list.html
View file

@ -51,8 +51,8 @@
<td> <td>
<a href="{getUrl('act', 'dispAddonAdminSetup', 'selected_addon', $addon->addon_name)}">{$lang->cmd_setup}</a> <a href="{getUrl('act', 'dispAddonAdminSetup', 'selected_addon', $addon->addon_name)}">{$lang->cmd_setup}</a>
</td> </td>
<td><input type="checkbox" name="pc_on[]" title="PC" value="{htmlspecialchars($addon->addon_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" checked="checked"|cond="$addon->activated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td> <td><input type="checkbox" name="pc_on[]" title="PC" value="{escape($addon->addon_name, false)}" checked="checked"|cond="$addon->activated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
<td><input type="checkbox" name="mobile_on[]" title="Mobile" value="{htmlspecialchars($addon->addon_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" checked="checked"|cond="$addon->mactivated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td> <td><input type="checkbox" name="mobile_on[]" title="Mobile" value="{escape($addon->addon_name, false)}" checked="checked"|cond="$addon->mactivated && !$addon->isBlacklisted" disabled="disabled"|cond="$addon->isBlacklisted" /></td>
<td><a cond="$addon->remove_url" href="{$addon->remove_url}&amp;return_url={urlencode(getRequestUriByServerEnviroment())}">{$lang->cmd_delete}</a></td> <td><a cond="$addon->remove_url" href="{$addon->remove_url}&amp;return_url={urlencode(getRequestUriByServerEnviroment())}">{$lang->cmd_delete}</a></td>
</tr> </tr>
</tbody> </tbody>

4
modules/addon/tpl/setup_addon.html
View file

@ -55,8 +55,8 @@
<div class="x_control-group"> <div class="x_control-group">
<label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label> <label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label>
<div class="x_controls"> <div class="x_controls">
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}"> <input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{escape($var->value)}">
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" class="lang_code" rows="8" cols="42">{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}</textarea> <textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" class="lang_code" rows="8" cols="42">{escape($var->value)}</textarea>
<select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}"> <select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}">
<option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option> <option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option>
</select> </select>

7
modules/admin/tpl/_footer.html
View file

@ -1,10 +1,12 @@
<config autoescape="on" />
</div> </div>
<!-- /BODY --> <!-- /BODY -->
<footer class="footer" cond="$this->user->isAdmin()"> <footer class="footer" cond="$this->user->isAdmin()">
<p class="power"> <p class="power">
Powered by <strong>Rhymix {__XE_VERSION__}</strong> Powered by <strong>Rhymix {\RX_VERSION}</strong>
<!--@if(isset($released_version))--> <!--@if(isset($released_version))-->
<span class="vr">|</span> Latest version: <a href="{htmlspecialchars(html_entity_decode($download_link), ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" target="_blank">{$released_version}</a> <span class="vr">|</span> Latest version: <a href="{$download_link}" target="_blank">{$released_version}</a>
<!--@end--> <!--@end-->
</p> </p>
<p class="cache"> <p class="cache">
@ -18,4 +20,3 @@
</footer> </footer>
</div> </div>
<load target="./js/config.js" /> <load target="./js/config.js" />

10
modules/communication/communication.controller.php
View file

@ -66,7 +66,7 @@ class communicationController extends communication
throw new Rhymix\Framework\Exception('msg_not_exists_member'); throw new Rhymix\Framework\Exception('msg_not_exists_member');
} }
$title = trim(Context::get('title')); $title = trim(escape(Context::get('title')));
if(!$title) if(!$title)
{ {
throw new Rhymix\Framework\Exception('msg_title_is_null'); throw new Rhymix\Framework\Exception('msg_title_is_null');
@ -174,7 +174,7 @@ class communicationController extends communication
function sendMessage($sender_srl, $receiver_srl, $title, $content, $sender_log = TRUE) function sendMessage($sender_srl, $receiver_srl, $title, $content, $sender_log = TRUE)
{ {
// Encode the title and content. // Encode the title and content.
$title = htmlspecialchars($title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $title = escape($title, false);
$content = removeHackTag($content); $content = removeHackTag($content);
$title = utf8_mbencode($title); $title = utf8_mbencode($title);
$content = utf8_mbencode($content); $content = utf8_mbencode($content);
@ -659,8 +659,7 @@ class communicationController extends communication
$args = new stdClass(); $args = new stdClass();
$args->friend_group_srl = trim(Context::get('friend_group_srl')); $args->friend_group_srl = trim(Context::get('friend_group_srl'));
$args->member_srl = $logged_info->member_srl; $args->member_srl = $logged_info->member_srl;
$args->title = Context::get('title'); $args->title = escape(Context::get('title'));
$args->title = htmlspecialchars($args->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
if(!$args->title) if(!$args->title)
{ {
@ -735,8 +734,7 @@ class communicationController extends communication
$args = new stdClass(); $args = new stdClass();
$args->friend_group_srl = Context::get('friend_group_srl'); $args->friend_group_srl = Context::get('friend_group_srl');
$args->member_srl = $logged_info->member_srl; $args->member_srl = $logged_info->member_srl;
$args->title = Context::get('title'); $args->title = escape(Context::get('title'));
$args->title = htmlspecialchars($args->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
if(!$args->title) if(!$args->title)
{ {

4
modules/editor/skins/ckeditor/editor.html
View file

@ -30,8 +30,8 @@ var auto_saved_msg = "{$lang->msg_auto_saved}";
<!--@endif--> <!--@endif-->
<!--@if($enable_autosave)--> <!--@if($enable_autosave)-->
<input type="hidden" name="_saved_doc_title" value="{htmlspecialchars($saved_doc->title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" /> <input type="hidden" name="_saved_doc_title" value="{escape($saved_doc->title)}" />
<input type="hidden" name="_saved_doc_content" value="{htmlspecialchars($saved_doc->content, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" /> <input type="hidden" name="_saved_doc_content" value="{escape($saved_doc->content)}" />
<input type="hidden" name="_saved_doc_document_srl" value="{$saved_doc->document_srl}" /> <input type="hidden" name="_saved_doc_document_srl" value="{$saved_doc->document_srl}" />
<input type="hidden" name="_saved_doc_message" value="{$lang->msg_load_saved_doc}" /> <input type="hidden" name="_saved_doc_message" value="{$lang->msg_load_saved_doc}" />
<!--@end--> <!--@end-->

4
modules/editor/tpl/setup_component.html
View file

@ -43,8 +43,8 @@
<div class="x_control-group"> <div class="x_control-group">
<label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label> <label class="x_control-label" for="{$var->name}"|cond="$var->type != 'textarea'" for="lang_{$var->name}"|cond="$var->type == 'textarea'">{$var->title}</label>
<div class="x_controls"> <div class="x_controls">
<input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}"> <input cond="$var->type == 'text'" type="text" name="{$var->name}" id="{$var->name}" value="{escape($var->value, false)}">
<textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" rows="8" cols="42">{htmlspecialchars($var->value, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}</textarea> <textarea cond="$var->type == 'textarea'" name="{$var->name}" id="{$var->name}" rows="8" cols="42">{escape($var->value, false)}</textarea>
<select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}"> <select cond="$var->type == 'select'" name="{$var->name}" id="{$var->name}">
<option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option> <option loop="$var->options => $option" value="{$option->value}" selected="selected"|cond="$var->value == $option->value">{$option->title}</option>
</select> </select>

20
modules/member/member.controller.php
View file

@ -2417,11 +2417,11 @@ class memberController extends member
list($args->email_id, $args->email_host) = explode('@', $args->email_address); list($args->email_id, $args->email_host) = explode('@', $args->email_address);
// Sanitize user ID, username, nickname, homepage, blog // Sanitize user ID, username, nickname, homepage, blog
$args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->user_id = escape($args->user_id, false);
$args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->user_name = escape($args->user_name, false);
$args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->nick_name = escape($args->nick_name, false);
$args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->homepage = escape($args->homepage, false);
$args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->blog = escape($args->blog, false);
if($args->homepage && !preg_match("/^[a-z]+:\/\//i",$args->homepage)) $args->homepage = 'http://'.$args->homepage; if($args->homepage && !preg_match("/^[a-z]+:\/\//i",$args->homepage)) $args->homepage = 'http://'.$args->homepage;
if($args->blog && !preg_match("/^[a-z]+:\/\//i",$args->blog)) $args->blog = 'http://'.$args->blog; if($args->blog && !preg_match("/^[a-z]+:\/\//i",$args->blog)) $args->blog = 'http://'.$args->blog;
@ -2650,11 +2650,11 @@ class memberController extends member
} }
// Sanitize user ID, username, nickname, homepage, blog // Sanitize user ID, username, nickname, homepage, blog
if($args->user_id) $args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); if($args->user_id) $args->user_id = escape($args->user_id, false);
$args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->user_name = escape($args->user_name, false);
$args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->nick_name = escape($args->nick_name, false);
$args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->homepage = escape($args->homepage, false);
$args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $args->blog = escape($args->blog, false);
if($args->homepage && !preg_match("/^[a-z]+:\/\//is",$args->homepage)) $args->homepage = 'http://'.$args->homepage; if($args->homepage && !preg_match("/^[a-z]+:\/\//is",$args->homepage)) $args->homepage = 'http://'.$args->homepage;
if($args->blog && !preg_match("/^[a-z]+:\/\//is",$args->blog)) $args->blog = 'http://'.$args->blog; if($args->blog && !preg_match("/^[a-z]+:\/\//is",$args->blog)) $args->blog = 'http://'.$args->blog;

6
modules/member/member.model.php
View file

@ -178,7 +178,7 @@ class memberModel extends member
$oCommunicationModel = getModel('communication'); $oCommunicationModel = getModel('communication');
if($logged_info->is_admin == 'Y' || $oCommunicationModel->isFriend($member_info->member_srl)) if($logged_info->is_admin == 'Y' || $oCommunicationModel->isFriend($member_info->member_srl))
{ {
$url = 'mailto:'.htmlspecialchars($member_info->email_address, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $url = 'mailto:'.escape($member_info->email_address);
$oMemberController->addMemberPopupMenu($url,'cmd_send_email',$icon_path); $oMemberController->addMemberPopupMenu($url,'cmd_send_email',$icon_path);
} }
} }
@ -210,13 +210,13 @@ class memberModel extends member
// View homepage info // View homepage info
if($member_info->homepage && $homepage_is_public) if($member_info->homepage && $homepage_is_public)
{ {
$oMemberController->addMemberPopupMenu(htmlspecialchars($member_info->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), 'homepage', '', 'blank'); $oMemberController->addMemberPopupMenu(escape($member_info->homepage, false), 'homepage', '', 'blank');
} }
// View blog info // View blog info
if($member_info->blog && $blog_is_public) if($member_info->blog && $blog_is_public)
{ {
$oMemberController->addMemberPopupMenu(htmlspecialchars($member_info->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false), 'blog', '', 'blank'); $oMemberController->addMemberPopupMenu(escape($member_info->blog, false), 'blog', '', 'blank');
} }
// Call a trigger (after) // Call a trigger (after)

2
modules/module/module.controller.php
View file

@ -1056,7 +1056,7 @@ class moduleController extends module
} }
} }
$output = preg_replace_callback('!\$user_lang->([a-z0-9\_]+)!is', function($matches) use($lang) { $output = preg_replace_callback('/(?<!value=")\$user_lang-(?:>|&gt;)([a-z0-9\_]+)/is', function($matches) use($lang) {
if(isset($lang[$matches[1]]) && !Context::get($matches[1])) if(isset($lang[$matches[1]]) && !Context::get($matches[1]))
{ {
return $lang[$matches[1]]; return $lang[$matches[1]];

4
modules/point/tpl/member_list.html
View file

@ -26,7 +26,7 @@
<option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option> <option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option>
</select> </select>
<span class="x_input-append"> <span class="x_input-append">
<input type="search" required name="search_keyword" required value="{htmlspecialchars($search_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" style="width:100px" /> <input type="search" required name="search_keyword" required value="{escape($search_keyword, false)}" title="{$lang->cmd_search}" style="width:100px" />
<button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button> <button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button>
<a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a> <a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a>
</span> </span>
@ -129,7 +129,7 @@
<option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option> <option loop="$lang->search_target_list => $key,$val" value="{$key}" selected="selected"|cond="$search_target==$key">{$val}</option>
</select> </select>
<span class="x_input-append"> <span class="x_input-append">
<input type="search" name="search_keyword" required value="{htmlspecialchars($search_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" style="width:100px" /> <input type="search" name="search_keyword" required value="{escape($search_keyword, false)}" title="{$lang->cmd_search}" style="width:100px" />
<button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button> <button type="submit" class="x_btn x_btn-inverse">{$lang->cmd_search}</button>
<a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a> <a href="{getUrl('','module',$module,'act',$act)}" class="x_btn">{$lang->cmd_cancel}</a>
</span> </span>